All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are your options when you go over the license limit?

thesteve
Path Finder
‎04-25-2014 03:49 PM

I had a log file go crazy. It shot up to 400MB before I noticed and of course that pushed me over the daily limit.

I'm wondering what the options are from here. Moving forward, I can limit the index size of that particular log (and others), but what about the rest of today?

Does this mean that I can't index anything else until after midnight?

Can I possibly delete the abnormally large index and continue?

The warning message I received said to "correct this before midnight". I have corrected the issue that caused this so it won't happen again, but is there any way to undo things such that I see normal behavior for the remainder of the day?

I'm not interested in the large set of data that was indexed. The root cause was detected and eliminated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-25-2014 04:16 PM

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutlicenseviolations for the "official" version.

The most important thing to do is to make sure you won't exceed your license tomorrow for the same reason, and it appears you've done that already.
As for the rest of today, go nuts. Index ALL the files \o/ you've always wanted to, it doesn't matter how far you exceed your license within one day. What matters is the number of days with a violation in the past 30 days.
There's no "un-indexing" that rolls back your license, the "correct before midnight" is there to make sure you won't exceed your license tomorrow if the error is not corrected before midnight.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-25-2014 04:16 PM

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutlicenseviolations for the "official" version.

The most important thing to do is to make sure you won't exceed your license tomorrow for the same reason, and it appears you've done that already.
As for the rest of today, go nuts. Index ALL the files \o/ you've always wanted to, it doesn't matter how far you exceed your license within one day. What matters is the number of days with a violation in the past 30 days.
There's no "un-indexing" that rolls back your license, the "correct before midnight" is there to make sure you won't exceed your license tomorrow if the error is not corrected before midnight.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...