Installation

Licence issue

sankarr
New Member

Hello,
i am using splunk enterprise (trial) 4.3.3 version.i have indexed the real time log using splunk and scheduled two search alerts for every 4 hours. The file size not reached 500mb but got warning message like limit exceeded twice. is that something i have not indexed properly? if i get a licence will get a same problem right? i beleive other system default indexes utilizing more memory.how to avoid this?

Tags (1)
0 Karma

sankarr
New Member

Hello,

Thanks for your reply..i can index 500MB per day using the enterprise version.when i ran the query index volume exceeded twice.I am new to this tool..I have pointed the real time SIP log,every 4 hour serching the keyword ALARM. i believe it's serching from the top of the log file again and again..how to search tail lines in the runtime logs?

Thanks
Sankar

0 Karma

abhayneilam
Contributor

all the files of a particular folder is not getting imported automatically, only the first file is getting added..please suggest any solution !!

0 Karma

Sqig
Path Finder

I'm not sure I'm following.

With Splunk, you point it at a logfile and it consumes the entire file. It then continues to consume new lines as they get added to the log file. So you are actually indexing the full volume in the file, not just whatever your results of searches are.

0 Karma

Sqig
Path Finder

When you go to Manager -> License, what does it show as your daily volume?

My guess would be that you may be Indexing things you are not aware of.

What does Splunk thing you indexed? Try searches like these to check your daily indexing volume totals or volume sorted by index or sourcetype. This will help you confirm that you really are not Indexing more data than 500MB per day.

Total:

index=_internal per_index_thruput earliest=-7d@d latest=now | timechart span=1d eval(sum(kb)/1024) as "Daily Indexing Volume in MB"

By Index:

index=internal metrics kb series!=* "group=per_index_thruput" daysago=7| eval indexed_mb = kb / 1024  | timechart fixedrange=t span=1d sum(indexed_mb) by series

By Sourcetype:

index=internal metrics kb series!=* "group=per_sourcetype_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series

Edit: Original was in GB... I converted to MB for this post.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...