Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop Indexing at License Cap

emccaslin
Path Finder
‎06-09-2014 09:08 AM

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

rtadams89
Contributor
‎06-09-2014 10:22 AM

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-09-2014 04:53 PM

I misread your question originally and though you said you did not know what that source was that was taking you over your limit.

Rather than stopping logging, I would approach the problem slightly differently. It is true of most sources that not all of the content is particularly interesting. If your source is logging a regular set of messages which just represent noise, you can filter them out by applying whitelist/blacklist filtering to your inputs. This can quite often drastically reduce the quantity whilst at the same time improving the quality of your throughput.

Just a thought.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-12-2014 02:47 PM

You don't literally blacklist/whitelist. You filter the unwanted entries to the "null queue".

It's old, but there's already an answer on the topic at http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-11-2014 02:37 PM

Do you mean to whitelist/blacklist the events before they are indexed? I'm not sure how to do that.

0 Karma
Reply
Solved! Jump to solution
Solution

rtadams89
Contributor
‎06-09-2014 10:22 AM

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-09-2014 10:37 AM

This is exactly where I have started going with this. The problem with the tcp inputs is that Splunk does not support a CLI command to disable the port without removing the tcp port completely. Still working on it.

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-09-2014 09:11 AM

I would like this to happen automatically as this usually occurs on the weekends when we are away.

I know I can disable the tcp port, is there a way to get one specific tcp port / data input to automatically disable itself when the 90% license quota is hit?

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...