Splunk Search

WARN: Search auto-finalized after disk usage limit (500MB) reached. WARN: Search auto-finalized after disk usage limit (500MB) reached.

Path Finder

I'm running a cli search via command line in a search server.

I've already updated srchDiskQuota = 3000 to the role of the user running this query.
But I'm still getting this error, and only get 1/4 size of a full day's worth of events.

WARN: Search auto-finalized after disk usage limit (500MB) reached.

Is there anything else I need to check? How can I resolve this warning?

Tags (4)
0 Karma

Motivator

where did you put the authorize.conf with the srchDiskQuota parameter? it needs to be in splunk/etc/system/local

Did you restart splunk service?

could you post your authorize.conf?

Troubleshooting Search Quotas

Motivator

I think that authorize.conf need to be on each Search Head splunk/etc/system/local not on shared folder or inside an app...

0 Karma

Path Finder

Couple of details...
I'm running a 2 search server model, but only running the query on search01.
Both search servers are pulling configs in a shared nfs directory, and I can verify it has the right configs when I run ./splunk cmd btool authorize list

Authorize.conf is in
/opt/splunk/(nfs symlink dir)/etc/apps/search_base/local/

I restarted the service.

Here's my authorize.conf for this particular user's role:
[role_bot-bi]
importRoles = bi
rtSrchJobsQuota = 0
srchDiskQuota = 3000
srchJobsQuota = 0

0 Karma