Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help in limiting my indexing needed.

benstraw
Splunk Employee
Splunk Employee
‎02-08-2010 07:36 PM

I have a 1GB license and I am trying to contain my daily indexing so that I don't exceed the maximum indexing volume allowed for my license. What would you recommend I do (configuration-wise) to attain this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Gaurav
Splunk Employee
Splunk Employee
‎02-08-2010 09:11 PM

What is the nature of the data that is causing you to exceed your index column and how is it arriving to splunk?

One option is to simply not index certain events, if you know which ones you'd like to exclude from indexing. You can do this by specifying a matching regex and routing these events to a nullqueue.

See the below docs on how to do this:

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Routeandfilterdatad

View solution in original post

Reply
Solved! Jump to solution

dpaper
Explorer
‎01-26-2011 02:38 PM

A 100% effective, although unconventional, way to ensure that you never go over your indexing limit is to limit how fast the index can run.

$SPLUNK/etc/system/local/limits.conf:

[thruput]

maxKBps =

To figure out what the # should be, divide the daily license cap (1GB: 1073741824 bytes) by 86400 (seconds in a day), to get your max Kbps rate (12427 bytes/sec, or 12KB). This doesn't sound like much, and it isn't for a single second, but if splunk runs steadily all day long, you'll get close to your limit, but not go over it.

Reply
Solved! Jump to solution
Solution

Gaurav
Splunk Employee
Splunk Employee
‎02-08-2010 09:11 PM

What is the nature of the data that is causing you to exceed your index column and how is it arriving to splunk?

One option is to simply not index certain events, if you know which ones you'd like to exclude from indexing. You can do this by specifying a matching regex and routing these events to a nullqueue.

See the below docs on how to do this:

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Routeandfilterdatad

Reply
Solved! Jump to solution

ftk
Motivator
‎01-26-2011 02:40 PM

To be more specific, you will want to route the events you don't need indexed to the nullQueue -- these events will be discarded and do not count against your license.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...