Getting Data In

'daily indexing volume limit exceeded' still showing up after removing reference to large data source

Engager

Have Splunk v4.2.4 installed as stand-alone (trial license).

Imported a huge file and got the 'daily indexing volume limit exceeded' message. Removed the reference to the huge file by going to Manager --> Data Inputs --> Files & Directories and deleting the reference. A day later and the 'daily indexing volume limit exceeded' message still shows across the top of Splunk Web. On Manager --> Licensing shows 0% of quota volume used today but with a new alert '1 pool warning reported by 1 indexer, correct by midnight to avoid violation'.

What am I missing? All roads have let me to the Admin Manual, About License Violations page (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations) which doesn't seem to help me fix the problem and prevent a new violation. Any ideas, much appreciated.

Thanks,

0 Karma
1 Solution

Champion

Hi, in that link read in particular;

Violations occur when you exceed the
maximum indexing volume allowed for
your license. If you exceed your
licensed daily volume on any one
calendar day, you will get a violation
warning. The message persists for 14
days

So it will go after 14 days without a violation 🙂

View solution in original post

Champion

Hi, in that link read in particular;

Violations occur when you exceed the
maximum indexing volume allowed for
your license. If you exceed your
licensed daily volume on any one
calendar day, you will get a violation
warning. The message persists for 14
days

So it will go after 14 days without a violation 🙂

View solution in original post

Engager

Thanks Draineh. What confused me is that today I have another 'correct by midnight' message. But guess your point is to check the 'volume used today' after making changes.

0 Karma