Hi Good mornig we have the Splunk Enterprise in my company where i work and sudenly appers the next message Daily indexing volume limit exceeded cai I unblock temporary by mi self restarting the splunk o do i have to do something else.Thank you for you atenttion regards and have a good day.
Warnings and violations occur when you exceed the maximum indexing volume allowed for your license.
If you exceed your licensed daily volume on any one calendar day, you get a violation warning. If you have 5 or more warnings on an enforced Enterprise license, or 3 warnings on a Free license, in a rolling 30-day period, you are in violation of your license.
If you get a license warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30 day period.
Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days.
Please refer the below link in order to know more details about license violations.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Aboutlicenseviolations
Hope the above addresses your queries.
Cheers,
Meeran.
Restarting Splunk will not clear the license violation. A single violation should not cause problems. However, if the limit was exceeded all weekend and you can no longer conduct searches, you must contact Splunk for a special key that will reset the violation. Be sure to correct the cause of the violation first.
See About license violations in the Admin Manual for more information.