Re: Daily indexing volume limit exceeded shown on ...

remy06 · ‎10-20-2010

Hi,

I have installed Splunk on serverA. ServerA is configured to monitor local events and at the same time is pulling WMI events from serverB.

It is configured as a regular forwarder and is forwarding both events to our Splunk indexer.

When I login to Splunkweb at ServerA,I get a notice bar at the top of the page stating "Daily indexing volume limit exceeded".

Is there any concern for this as it is already configured as a forwarder? Will it have any effect on the events being indexed?

remy06 · ‎11-10-2010

splunk 4.1.5. Have configured it as a forwarder so should be using the forwarder license.

araitz · ‎11-03-2010

You never stated what version of Splunk this is, or what license you are using.

bwooden · ‎10-20-2010

It will not affect indexing but you may wish to resolve it so you don't become immune to noticing error messages. 🙂

Verify the forwarder is not indexing AND forwarding.

From the GUI, you would follow these steps...

   1. click Manager > Forwarding and receiving > Forwarding defualts
   2. Select radio button "No" for "Store a local copy of forwarded events?"
   3. click Save button

This is equivalent to outputs.conf setting:

indexAndForward = false

remy06 · ‎10-29-2010

It seems to be still performing its task..but the notice is still there..Anyone?

remy06 · ‎10-21-2010

It is already configured not to "store a local copy of forwarded events".

This serverA is used to pull WMI events from serverB which filters off some windows events and the forwards them to Splunk indexer. It is at the same time forwarding local events to Splunk indexer.In this case is it indexing and forwarding as well?

Daily indexing volume limit exceeded shown on forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!