I had installed a Enterprise trial license which was going well for me with searching and reporting.But after installing "Splunk on Splunk" app and "Splunk App for Windows Infrastructure",
I got a warning message that "Daily indexing volume limit exceeded today" after which I was not able to search. I know Splunk does not stop indexing your data, it only blocks search while you exceed your license.
Is it possible that I can configure a threshold so that Splunk can stop indexing after a certain limit ?
No, this is not possible. But you can setup filtering and routing to the null queue to get rid of unwanted events, take a look at the docs about Filter event data and send to queues
Update: to be precise, it is somehow possible to limit the daily indexing amount with Splunk ... BUT ... not in a way you expect! You can limit the daily amount of indexed data if you only use Universal Forwarders and limit their throughput by using the
limits.conf and set the according
[thruput] so the sum of all UF's transmitted data will not exceed your daily license volume.
hope this helps ...
Thanks MuS, apart from it if it is not possible, I think I can also set an alert on say 400 MB exceeded, so that I can take preventive measures before my license violates.
Perhaps you could write an script, that once that the license reach certain point, you turn off receiving (using a rest endpoint) so Splunk stop indexing anything new (at least from forwarders), you could do the same for any other tcp or udp, scripted inputs...
But currently I am not using any universal forwarders, it is just a test machine in which i had previously installed some apps due to which my license violated.
This should be a feature available per input imo. for now, gfuente's solution should be easy enough to implement.
-write a perl or python script to be used as a scripted input -the script starts by using the RESTapi to check for current values like indexed t -if the license has room, the script checks for new events by reading them from a file,folder,database or whatever -last, print the events so splunk can index them -don't forget to account for the amount of space remaining on the daily useage allowed vs. the amount your new events that will be added -also if you have multiple input scripts doing this you would need to check if any of they are running and wait until they're done before executing
I disagree with MuS here.
limits.conf: [thruput] maxKBps= will do what you want, if you set it on the indexer itself. If you have multiple indexers, each indexer gets a fraction of the total.
Be aware there are caveats to this solution, which I will leave an an exercise to the reader.
Pretty weird it isn't still included in some config file, an option to 'hold indexing' when e.g. 99% of the daily license is used. Limits.conf (what's in a name) can't limit the license usage...
For multiple test environments with their own splunk environments where unexpected things occur daily, you don't want the hassle of having to monitor the license during the day. Or when something in a long weekend is bouncing and dumping, you don't want this annoying license warning coming at ya.
Can't be so difficult to have this option. Yes, you can with a larger environment do some remote searches and make a splunk-stop script for the heavy forwarder. But on a single server it'll bring the whole webinterface down as well. On production environments I understand it's not desired usually to implement.