Installation

Stop Indexing at License Cap

emccaslin
Path Finder

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

1 Solution

rtadams89
Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

grijhwani
Motivator

I misread your question originally and though you said you did not know what that source was that was taking you over your limit.

Rather than stopping logging, I would approach the problem slightly differently. It is true of most sources that not all of the content is particularly interesting. If your source is logging a regular set of messages which just represent noise, you can filter them out by applying whitelist/blacklist filtering to your inputs. This can quite often drastically reduce the quantity whilst at the same time improving the quality of your throughput.

Just a thought.

grijhwani
Motivator

You don't literally blacklist/whitelist. You filter the unwanted entries to the "null queue".

It's old, but there's already an answer on the topic at http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

emccaslin
Path Finder

Do you mean to whitelist/blacklist the events before they are indexed? I'm not sure how to do that.

0 Karma

rtadams89
Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

emccaslin
Path Finder

This is exactly where I have started going with this. The problem with the tcp inputs is that Splunk does not support a CLI command to disable the port without removing the tcp port completely. Still working on it.

0 Karma

emccaslin
Path Finder

I would like this to happen automatically as this usually occurs on the weekends when we are away.

I know I can disable the tcp port, is there a way to get one specific tcp port / data input to automatically disable itself when the 90% license quota is hit?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...