Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Licence issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Licence issue
Hello,
i am using splunk enterprise (trial) 4.3.3 version.i have indexed the real time log using splunk and scheduled two search alerts for every 4 hours. The file size not reached 500mb but got warning message like limit exceeded twice. is that something i have not indexed properly? if i get a licence will get a same problem right? i beleive other system default indexes utilizing more memory.how to avoid this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for your reply..i can index 500MB per day using the enterprise version.when i ran the query index volume exceeded twice.I am new to this tool..I have pointed the real time SIP log,every 4 hour serching the keyword ALARM. i believe it's serching from the top of the log file again and again..how to search tail lines in the runtime logs?
Thanks
Sankar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all the files of a particular folder is not getting imported automatically, only the first file is getting added..please suggest any solution !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I'm following.
With Splunk, you point it at a logfile and it consumes the entire file. It then continues to consume new lines as they get added to the log file. So you are actually indexing the full volume in the file, not just whatever your results of searches are.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you go to Manager -> License, what does it show as your daily volume?
My guess would be that you may be Indexing things you are not aware of.
What does Splunk thing you indexed? Try searches like these to check your daily indexing volume totals or volume sorted by index or sourcetype. This will help you confirm that you really are not Indexing more data than 500MB per day.
Total:
index=_internal per_index_thruput earliest=-7d@d latest=now | timechart span=1d eval(sum(kb)/1024) as "Daily Indexing Volume in MB"
By Index:
index=internal metrics kb series!=* "group=per_index_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series
By Sourcetype:
index=internal metrics kb series!=* "group=per_sourcetype_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series
Edit: Original was in GB... I converted to MB for this post.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
