I'm running a cli search via command line in a search server.
I've already updated srchDiskQuota = 3000 to the role of the user running this query.
But I'm still getting this error, and only get 1/4 size of a full day's worth of events.
WARN: Search auto-finalized after disk usage limit (500MB) reached.
Is there anything else I need to check? How can I resolve this warning?
where did you put the authorize.conf with the srchDiskQuota parameter? it needs to be in
Did you restart splunk service?
could you post your authorize.conf?
Couple of details...
I'm running a 2 search server model, but only running the query on search01.
Both search servers are pulling configs in a shared nfs directory, and I can verify it has the right configs when I run ./splunk cmd btool authorize list
Authorize.conf is in
/opt/splunk/(nfs symlink dir)/etc/apps/search_base/local/
I restarted the service.
Here's my authorize.conf for this particular user's role:
importRoles = bi
rtSrchJobsQuota = 0
srchDiskQuota = 3000
srchJobsQuota = 0
I think that authorize.conf need to be on each Search Head splunk/etc/system/local not on shared folder or inside an app...