Installation

Controlled license violation - read a single huge logfile

FRoth
Contributor

We received a log file containing incident data that has more than 30 GB.
Our license allows a daily indexing volume of 10 GB.
What would happen if we indexed the whole file? I suppose that we would trigger a single license alert, isn't it?

Is there a limit that disables splunk completely, let's say if we would index a file of 60GB on a single day or 80 GB?

Tags (3)
0 Karma
1 Solution

rturk
Builder

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

View solution in original post

rturk
Builder

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...