Getting Data In

How to avoid exceeding daily limit when monitoring directory?

edrivera3
Builder

I want to monitor a directory that already has many gbs of data (historical data). New data is added to that directory but in a low rate 50mbs/daily. I want to index all the data to Splunk without exceeding the daily limit. I don't need all the data to be indexed at once.

  1. Is there a way to control how much data is indexed daily?

On limits.conf there is a setting called maxKBps, but it seems it's related to forwarders.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.

---
If this reply helps you, Karma would be appreciated.

edrivera3
Builder

This is not an option. If I do that I will exceed 3 violations per month.

0 Karma

edrivera3
Builder

Ok. how much data I can index above the limit in a single day?

0 Karma

adonio
Ultra Champion

as much as you want
you can index terabytes of data in a day and count as 1 warning
@richgalloway answer is correct IMHO

edrivera3
Builder

Ohh cool. I didn't know that. Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...