Splunk Search

WARN: Search auto-finalized after disk usage limit (500MB) reached. WARN: Search auto-finalized after disk usage limit (500MB) reached.

Path Finder

I'm running a cli search via command line in a search server.

I've already updated srchDiskQuota = 3000 to the role of the user running this query.
But I'm still getting this error, and only get 1/4 size of a full day's worth of events.

WARN: Search auto-finalized after disk usage limit (500MB) reached.

Is there anything else I need to check? How can I resolve this warning?

Tags (4)
0 Karma


where did you put the authorize.conf with the srchDiskQuota parameter? it needs to be in splunk/etc/system/local

Did you restart splunk service?

could you post your authorize.conf?

Troubleshooting Search Quotas


I think that authorize.conf need to be on each Search Head splunk/etc/system/local not on shared folder or inside an app...

0 Karma

Path Finder

Couple of details...
I'm running a 2 search server model, but only running the query on search01.
Both search servers are pulling configs in a shared nfs directory, and I can verify it has the right configs when I run ./splunk cmd btool authorize list

Authorize.conf is in
/opt/splunk/(nfs symlink dir)/etc/apps/search_base/local/

I restarted the service.

Here's my authorize.conf for this particular user's role:
importRoles = bi
rtSrchJobsQuota = 0
srchDiskQuota = 3000
srchJobsQuota = 0

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...