Good morning everybody,
as reported in the subject I have a license limit violation in my Splunk installation with unavailability of searching anything. I verified that in the last 30 days I didn't exceed the 500 MB daily in the log.
Why I cannot use the search feature and why I'm receiving the license violation error if I'm inside the 500 MB limit (I'm currently respecting the license agreement of the Splunk free version)?
Thank you very much for your assistance.
Dear all, thank you for your feedback.
I installed Splunk SOS and I generated the report of the license usage for the last 30 days: The daily usage of the license is always below 200MB each day.
Any suggestion? I cannot access the search yet.
You are probably looking at the Compressed index size. Your data will be between 10% and 110% based on the data compression ratio and unique columns in the data.. I recommend installing S.O.S. (splunk on splunk) app http://apps.splunk.com/app/748/, it will give you much insight to these values (metrics dashboard i believe)
Thank you for the reply. I have only one index with only one device feeding the syslog. I checked the size of the log from the search menu (i do not remember the right menu) and i created a graph with the amount of the index over the last 30 days. I'm always under 180 mb. I can confirm that the size is below 200 mb because i've another syslog with the same data.
Thank you very much,
It's also not calculated on a per-index basis but rather over all (non-internal) indexes combined... hence if you have three indexes getting 200MB each per day you're over 500MB in total daily.
From the sound of it, you are not within your 500 MB/day. How did you check? You are aware that the license is counted towards the uncompressed size of the incoming logs, not how much space they take on disk on the indexer.