Solved: Re: How to avoid exceeding daily limit when monito...

edrivera3 · ‎03-31-2017

I want to monitor a directory that already has many gbs of data (historical data). New data is added to that directory but in a low rate 50mbs/daily. I want to index all the data to Splunk without exceeding the daily limit. I don't need all the data to be indexed at once.

Is there a way to control how much data is indexed daily?

On limits.conf there is a setting called maxKBps, but it seems it's related to forwarders.

richgalloway · ‎03-31-2017

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-31-2017

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

edrivera3 · ‎03-31-2017

This is not an option. If I do that I will exceed 3 violations per month.

edrivera3 · ‎03-31-2017

Ok. how much data I can index above the limit in a single day?

adonio · ‎03-31-2017

as much as you want
you can index terabytes of data in a day and count as 1 warning
@richgalloway answer is correct IMHO

edrivera3 · ‎03-31-2017

Ohh cool. I didn't know that. Thanks

How to avoid exceeding daily limit when monitoring directory?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!