I'm running a cli search via command line in a search server.
I've already updated srchDiskQuota = 3000 to the role of the user running this query.
But I'm still getting this error, and only get 1/4 size of a full day's worth of events.
WARN: Search auto-finalized after disk usage limit (500MB) reached.
Is there anything else I need to check? How can I resolve this warning?
where did you put the authorize.conf with the srchDiskQuota parameter? it needs to be in splunk/etc/system/local
Did you restart splunk service?
could you post your authorize.conf?
I think that authorize.conf need to be on each Search Head splunk/etc/system/local not on shared folder or inside an app...
Couple of details...
I'm running a 2 search server model, but only running the query on search01.
Both search servers are pulling configs in a shared nfs directory, and I can verify it has the right configs when I run ./splunk cmd btool authorize list
Authorize.conf is in
/opt/splunk/(nfs symlink dir)/etc/apps/search_base/local/
I restarted the service.
Here's my authorize.conf for this particular user's role:
[role_bot-bi]
importRoles = bi
rtSrchJobsQuota = 0
srchDiskQuota = 3000
srchJobsQuota = 0