Installation

Stop Indexing at License Cap

emccaslin
Path Finder

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

1 Solution

rtadams89
Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

grijhwani
Motivator

I misread your question originally and though you said you did not know what that source was that was taking you over your limit.

Rather than stopping logging, I would approach the problem slightly differently. It is true of most sources that not all of the content is particularly interesting. If your source is logging a regular set of messages which just represent noise, you can filter them out by applying whitelist/blacklist filtering to your inputs. This can quite often drastically reduce the quantity whilst at the same time improving the quality of your throughput.

Just a thought.

grijhwani
Motivator

You don't literally blacklist/whitelist. You filter the unwanted entries to the "null queue".

It's old, but there's already an answer on the topic at http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

emccaslin
Path Finder

Do you mean to whitelist/blacklist the events before they are indexed? I'm not sure how to do that.

0 Karma

rtadams89
Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

emccaslin
Path Finder

This is exactly where I have started going with this. The problem with the tcp inputs is that Splunk does not support a CLI command to disable the port without removing the tcp port completely. Still working on it.

0 Karma

emccaslin
Path Finder

I would like this to happen automatically as this usually occurs on the weekends when we are away.

I know I can disable the tcp port, is there a way to get one specific tcp port / data input to automatically disable itself when the 90% license quota is hit?

Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...