Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to avoid exceeded daily indexing volume limit when adding new server?

baalchina
New Member
‎01-18-2013 05:26 AM

hello everyone,

I am testing splunk, and add an iis server to splunk server. For this server had ran for years, about 12g logs in the it.

So I found splunk notice me

Daily indexing volume limit exceeded today.

very soon.

Beacuse this server cannot generate 500M logs in a single day, so in normal time everything will be ok, but what can I do if I add this server in the first time to avoid exceed daily limit?

Thanks.

Tags (1)
0 Karma
Reply

jodros
Builder
‎01-18-2013 05:37 AM

You are allowed to burst above your daily indexing licensing limit 5 times in 30 days with an Enterprise license. A message will appear and remain for 14 days notifying you that you went above you daily licensing limit, but search will not be disabled. I usually just called into support and they can turn the warning message off. I find it is best to plan for adding servers with a large amount of backfill data, and add them all on the same day.

You can also add a limits.conf file to the IIS server Splunk config to throttle the amount of logs being indexed using the "maxKBps = integer" statement. For example maxKBps = 512 would limit the speed of logs being send to not exceed 512 KBps. Please notice that this is in Bytes, not bits as most networking notation uses.

Reply

jodros
Builder
‎02-19-2013 10:15 AM

baalchina, just checking in to see if you issue is now resolved.

thanks

0 Karma
Reply

jodros
Builder
‎01-21-2013 06:19 AM

baalchina, did the supplied answer resolve your issue? If so, please select it as the accepted answer.

Thanks

0 Karma
Reply

jodros
Builder
‎01-18-2013 02:55 PM

Did this answer resolve you question? If so, please mark it as the accepted answer.

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...