Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs not coming to splunk from UF

Hemant93
Loves-to-Learn Lots
‎06-30-2023 04:47 AM

Hi team,

Logs are not coming to splunk .The UF is working fine and even connected to indexers, inputs.conf and everything seems perfect.
we are facing this issue for few UFs only.
can you suggest something which i should check? 

These are the warnings we are getting :- 

1. Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See License Manager for details.

2. Root Cause(s):

  • Sum of 3 highest per-cpu iowaits reached red threshold of 15
  • Sum of 3 highest per-cpu iowaits reached yellow threshold of 7
  • Maximum per-cpu iowait reached red threshold of 10
    • Unhealthy Instances:
      • dallpshdap010m
      • mialvshdap010m.vtitel.net
      • dallvissap010m.vtitel.net
      • mialvissap030m.vtitel.net
      • dallvissap030m.vtitel.net
      • mialvissap010m.vtitel.net
      • dallvissap020m.vtitel.net
      • mialvissap020m.vtitel.net

         3. Search Lag

        • Root Cause(s):
          • The percentage of non high priority searches lagged (67%) over the last 24 hours is very high and exceeded the yellow thresholds (40%) on this Splunk instance. Total Searches that were part of this percentage=268303. Total lagged Searches=182113


Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2023 09:53 AM

This is interesting since the license warning says about 5 violations during 30-day period which is the typical setting for a Splunk Free instance. Your environment seems much bigger than the one for Splunk Free instance.

There is probably more things wrong underneath.

We don't know your event routing, we don't know your architecture, we don't know your search settings.

I'd advise you get a consultant to look over your environment because it looks as if you have more problems than just events which are supposedly not showing in search (but they might be although they might be wrongly parsed and misplaced, for example).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 11:39 AM

Definitely there seems to be something else too. 5/30 was normal limit with older 7&8 versions, not only free. If your instance is using free license then you cannot get unlock license. That’s just for paid customers!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 04:51 AM

Hi

your logs are coming to splunk, but you cannot search those as you are ingested too many times over your license quota.

 Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See License Manager for details.

You need to order Unlock license from Splunk. Contact to your account team and ask this.

r. Ismo 

0 Karma
Reply

Hemant93
Loves-to-Learn Lots
‎06-30-2023 05:03 AM

Hi Isoutamo,

 

But we are getting for most of the servers but not getting logs for recently configured servers.


0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...