Solved: How to avoid exceeding daily limit when monitoring...

edrivera3 · ‎03-31-2017

I want to monitor a directory that already has many gbs of data (historical data). New data is added to that directory but in a low rate 50mbs/daily. I want to index all the data to Splunk without exceeding the daily limit. I don't need all the data to be indexed at once.

Is there a way to control how much data is indexed daily?

On limits.conf there is a setting called maxKBps, but it seems it's related to forwarders.

richgalloway · ‎03-31-2017

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-31-2017

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

edrivera3 · ‎03-31-2017

This is not an option. If I do that I will exceed 3 violations per month.

edrivera3 · ‎03-31-2017

Ok. how much data I can index above the limit in a single day?

adonio · ‎03-31-2017

as much as you want
you can index terabytes of data in a day and count as 1 warning
@richgalloway answer is correct IMHO

edrivera3 · ‎03-31-2017

Ohh cool. I didn't know that. Thanks

How to avoid exceeding daily limit when monitoring directory?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk