Installation

Stop Indexing at License Cap

Path Finder

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

1 Solution

Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

Motivator

I misread your question originally and though you said you did not know what that source was that was taking you over your limit.

Rather than stopping logging, I would approach the problem slightly differently. It is true of most sources that not all of the content is particularly interesting. If your source is logging a regular set of messages which just represent noise, you can filter them out by applying whitelist/blacklist filtering to your inputs. This can quite often drastically reduce the quantity whilst at the same time improving the quality of your throughput.

Just a thought.

Motivator

You don't literally blacklist/whitelist. You filter the unwanted entries to the "null queue".

It's old, but there's already an answer on the topic at http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

Path Finder

Do you mean to whitelist/blacklist the events before they are indexed? I'm not sure how to do that.

0 Karma

Contributor

You could probably get creative with a script triggered by a scheduled search. Basically have an alert that fires when license usage > 90%, then have that alert run a script. What the script does will depend on your environment, but it could for example modify an app on your deployment server to disable the input that you want to stop.

View solution in original post

Path Finder

This is exactly where I have started going with this. The problem with the tcp inputs is that Splunk does not support a CLI command to disable the port without removing the tcp port completely. Still working on it.

0 Karma

Path Finder

I would like this to happen automatically as this usually occurs on the weekends when we are away.

I know I can disable the tcp port, is there a way to get one specific tcp port / data input to automatically disable itself when the 90% license quota is hit?