Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why a new warning about daily indexing volume exceeded?

wsw70
Communicator
‎02-13-2013 12:42 AM

I got yesterday a warning about daily indexing volume exceeded. The warning was correct, I made a mistake with one of the data source. This was corrected yesterday.

This morning I see two warnings: a permanent one (the one from yesterday) and a current one (the same I saw yesterday). How come it is re-issued since I do not see anything suspicious in the view suggested by the docs?

The view for yesterday was:

series  sum(MB)
vsec2dsy    1920.6647500677
ips_cisco   132.3562946397
_internal   61.512698216
trendmicro  18.6259823111
_audit  4.6508560657
main    0.9820251170
iwsva   0.8498468754
nessus2 0.174271584
officescancompliance    0.132205010

I have a license for 1GB, exceeded by the vsec2dsy index.

The view for today:

series  sum(MB)
ips_cisco   64.9516515819
_internal   23.472163197
trendmicro  5.9117831667
_audit  1.2491817557
vsec2dsy    0.379042632
main    0.234364522
iwsva   0.120780947

So everything is fine.

Why the warning then?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...