Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why a new warning about daily indexing volume exceeded?

wsw70
Communicator
‎02-13-2013 12:42 AM

I got yesterday a warning about daily indexing volume exceeded. The warning was correct, I made a mistake with one of the data source. This was corrected yesterday.

This morning I see two warnings: a permanent one (the one from yesterday) and a current one (the same I saw yesterday). How come it is re-issued since I do not see anything suspicious in the view suggested by the docs?

The view for yesterday was:

series  sum(MB)
vsec2dsy    1920.6647500677
ips_cisco   132.3562946397
_internal   61.512698216
trendmicro  18.6259823111
_audit  4.6508560657
main    0.9820251170
iwsva   0.8498468754
nessus2 0.174271584
officescancompliance    0.132205010

I have a license for 1GB, exceeded by the vsec2dsy index.

The view for today:

series  sum(MB)
ips_cisco   64.9516515819
_internal   23.472163197
trendmicro  5.9117831667
_audit  1.2491817557
vsec2dsy    0.379042632
main    0.234364522
iwsva   0.120780947

So everything is fine.

Why the warning then?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...