Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs not coming to splunk from UF

Hemant93
Loves-to-Learn Lots
‎06-30-2023 04:47 AM

Hi team,

Logs are not coming to splunk .The UF is working fine and even connected to indexers, inputs.conf and everything seems perfect.
we are facing this issue for few UFs only.
can you suggest something which i should check? 

These are the warnings we are getting :- 

1. Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See License Manager for details.

2. Root Cause(s):

  • Sum of 3 highest per-cpu iowaits reached red threshold of 15
  • Sum of 3 highest per-cpu iowaits reached yellow threshold of 7
  • Maximum per-cpu iowait reached red threshold of 10
    • Unhealthy Instances:
      • dallpshdap010m
      • mialvshdap010m.vtitel.net
      • dallvissap010m.vtitel.net
      • mialvissap030m.vtitel.net
      • dallvissap030m.vtitel.net
      • mialvissap010m.vtitel.net
      • dallvissap020m.vtitel.net
      • mialvissap020m.vtitel.net

         3. Search Lag

        • Root Cause(s):
          • The percentage of non high priority searches lagged (67%) over the last 24 hours is very high and exceeded the yellow thresholds (40%) on this Splunk instance. Total Searches that were part of this percentage=268303. Total lagged Searches=182113


Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2023 09:53 AM

This is interesting since the license warning says about 5 violations during 30-day period which is the typical setting for a Splunk Free instance. Your environment seems much bigger than the one for Splunk Free instance.

There is probably more things wrong underneath.

We don't know your event routing, we don't know your architecture, we don't know your search settings.

I'd advise you get a consultant to look over your environment because it looks as if you have more problems than just events which are supposedly not showing in search (but they might be although they might be wrongly parsed and misplaced, for example).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 11:39 AM

Definitely there seems to be something else too. 5/30 was normal limit with older 7&8 versions, not only free. If your instance is using free license then you cannot get unlock license. That’s just for paid customers!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 04:51 AM

Hi

your logs are coming to splunk, but you cannot search those as you are ingested too many times over your license quota.

 Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See License Manager for details.

You need to order Unlock license from Splunk. Contact to your account team and ask this.

r. Ismo 

0 Karma
Reply

Hemant93
Loves-to-Learn Lots
‎06-30-2023 05:03 AM

Hi Isoutamo,

 

But we are getting for most of the servers but not getting logs for recently configured servers.


0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...