Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Daily license usage exceeded

BRFZ
Communicator
‎01-19-2026 05:36 AM

Hello everyone, 

We have noticed a sudden and unexpected increase in daily license usage in our Splunk environment over the past few days, causing the license threshold to be exceeded.

 

While investigating the source of this increase, we identified an index that had previously generated a high volume of data. However, since the license usage started exceeding the limit, this same index is now showing 0 events ingested.

This behavior seems inconsistent, as the index that appears related to the spike is no longer ingesting any data.

Has anyone encountered a similar issue before?

Thank you in advance.

 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-19-2026 07:50 AM

OK. If the index is _now_ showing no ingestion, it doesn't mean that those events aren't still there, right? Or do you have such a short retention period that they have already rolled out to frozen?

Can you just look into what those events are? What caused them?

There can be several reasons for this. One is that source (or one of the sources) simply malfunctioned and started producing a lot of logs which you'd normally not expect to ingest (like debug logs or stuff like that).

Another typical use case is if you configure new source (or new input) which has some pre-existing data to ingest. I did this once at home - I told Splunk to ingest my exim logs forgetting that it had some 3 or 5 years of backlog to index.

Of course there is also a possibility that someone misconfigured something or was a bit trigger-happy with the "collect" command. 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎01-19-2026 05:59 AM

Hi @BRFZ 

How are you sending the data to your Indexers? Did you make any changes to the ingestion when you started seeing the spike to try and reduce it?

My gut feeling would be that something higher up the chain has crashed, ie the forwarder or intermediate forwarder - Are you able to see any _internal logs from the forwarder sending the data (assuming the data is sent via a forwarder)?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...