Running build 4.3.3
I need a way to reset the license counter volume.
I'm not seeing any daily 'limit exceeded' errors at this point (I did see that one day last week).
The daily license counter is now up to 930GB...doesn't seem to reset at the 24 hour mark.
Yesterday it was 915, the day before 905...
But I'm getting a error:
‘skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied….’
Could this be the root cause of the license volume issue?
Paula - there is no published way of resetting your license counter to my knowledge. If you get limits exceeded the requisite number of times in a month then you probably know(?) what happens to your indexing etc? If you are working at those levels then you are clearly not on the free versions, so probably have an enterprise license. Call Splunk or your 3rd party.
You still need to resolve where your issues are coming from - Splunk doesn't arbitrarily continue the volume count, it cycles over each midnight local time.
Run some searches in the 'Search Splunk Answers' for your specifics. I found the following:
index=_internal sourcetype=splunkd source=metrics "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)
from Lowell posted way back, so credits to them...
and even hand crafting building on from index="_internal" | timechart sum(kb) by series might give you an insight.
Good luck & BR
Paula - you could start looking at which index and where the volume is coming from. Splunk on Splunk will also give you a lot more info, business spikes aside but not ignoring them - we had a rather eye-opening time during an intrusion detection (pen testing) exercise on firewalls for example!