Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Daily indexing volume exceeded
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I am currently using the free license as we are investigating the product for possible furture use in our system. One thing I have noticed is I am getting a Daily Indexing volume limit exceeded warning. Now I have only been running this for 1 day, so far and I have a count of about 8.5 million events which equates when I look at the indexes to about 220 MB, if this is the case why am I getting this warning?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you're looking at the indexes, where are you looking? If you're checking how much space they're using on disk, that won't show how much data Splunk has indexed since all data is compressed before being stored in the indexes. The license counts against the amount of (uncompressed) data coming in.
You can see more information about data volumes being indexed and more in the dashboards that are available in the "Status » Index activity" menu in the search app. There are also apps that provide more comprehensive license usage statistics, for instance this one: http://splunk-base.splunk.com/apps/22382/splunk-license-usage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you're looking at the indexes, where are you looking? If you're checking how much space they're using on disk, that won't show how much data Splunk has indexed since all data is compressed before being stored in the indexes. The license counts against the amount of (uncompressed) data coming in.
You can see more information about data volumes being indexed and more in the dashboards that are available in the "Status » Index activity" menu in the search app. There are also apps that provide more comprehensive license usage statistics, for instance this one: http://splunk-base.splunk.com/apps/22382/splunk-license-usage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How exactly are you obtaining the 220MB figure ? Is there perhaps other data that was indexed in the previous Calendar day that you are not aware of that may have busted the limit ?
BTW, the license window with respect to warnings is measured on the previous Calendar day, not a 24 hour sliding window.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That size is referring to the actual index size after compressing the data, not how much uncompressed data Splunk has indexed. See my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at the index under indexes it gives you the total number of indexes so far, the 220MB is the total I have ad since I started the service yesterday, todays total is only about 68MB of the total shown above
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
