Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Stop Indexing at License Cap

emccaslin
Path Finder
‎06-09-2014 09:08 AM

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

rtadams89
Contributor
‎06-09-2014 10:22 AM

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-09-2014 04:53 PM

I misread your question originally and though you said you did not know what that source was that was taking you over your limit.

Rather than stopping logging, I would approach the problem slightly differently. It is true of most sources that not all of the content is particularly interesting. If your source is logging a regular set of messages which just represent noise, you can filter them out by applying whitelist/blacklist filtering to your inputs. This can quite often drastically reduce the quantity whilst at the same time improving the quality of your throughput.

Just a thought.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-12-2014 02:47 PM

You don't literally blacklist/whitelist. You filter the unwanted entries to the "null queue".

It's old, but there's already an answer on the topic at http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-11-2014 02:37 PM

Do you mean to whitelist/blacklist the events before they are indexed? I'm not sure how to do that.

0 Karma
Reply
Solved! Jump to solution
Solution

rtadams89
Contributor
‎06-09-2014 10:22 AM

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-09-2014 10:37 AM

This is exactly where I have started going with this. The problem with the tcp inputs is that Splunk does not support a CLI command to disable the port without removing the tcp port completely. Still working on it.

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎06-09-2014 09:11 AM

I would like this to happen automatically as this usually occurs on the weekends when we are away.

I know I can disable the tcp port, is there a way to get one specific tcp port / data input to automatically disable itself when the 90% license quota is hit?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...