Splunk Search

WARN: Search auto-finalized after disk usage limit (500MB) reached. WARN: Search auto-finalized after disk usage limit (500MB) reached.

suhprano
Path Finder

I'm running a cli search via command line in a search server.

I've already updated srchDiskQuota = 3000 to the role of the user running this query.
But I'm still getting this error, and only get 1/4 size of a full day's worth of events.

WARN: Search auto-finalized after disk usage limit (500MB) reached.

Is there anything else I need to check? How can I resolve this warning?

Tags (4)
0 Karma

MarioM
Motivator

where did you put the authorize.conf with the srchDiskQuota parameter? it needs to be in splunk/etc/system/local

Did you restart splunk service?

could you post your authorize.conf?

Troubleshooting Search Quotas

MarioM
Motivator

I think that authorize.conf need to be on each Search Head splunk/etc/system/local not on shared folder or inside an app...

0 Karma

suhprano
Path Finder

Couple of details...
I'm running a 2 search server model, but only running the query on search01.
Both search servers are pulling configs in a shared nfs directory, and I can verify it has the right configs when I run ./splunk cmd btool authorize list

Authorize.conf is in
/opt/splunk/(nfs symlink dir)/etc/apps/search_base/local/

I restarted the service.

Here's my authorize.conf for this particular user's role:
[role_bot-bi]
importRoles = bi
rtSrchJobsQuota = 0
srchDiskQuota = 3000
srchJobsQuota = 0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...