Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Controlled license violation - read a single huge logfile

FRoth
Contributor
‎08-20-2013 01:41 AM

We received a log file containing incident data that has more than 30 GB.
Our license allows a daily indexing volume of 10 GB.
What would happen if we indexed the whole file? I suppose that we would trigger a single license alert, isn't it?

Is there a limit that disables splunk completely, let's say if we would index a file of 60GB on a single day or 80 GB?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rturk
Builder
‎08-20-2013 01:58 AM

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

rturk
Builder
‎08-20-2013 01:58 AM

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...