I want to monitor a directory that already has many gbs of data (historical data). New data is added to that directory but in a low rate 50mbs/daily. I want to index all the data to Splunk without exceeding the daily limit. I don't need all the data to be indexed at once.
On limits.conf there is a setting called maxKBps, but it seems it's related to forwarders.
Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.
Go ahead and index it all at once. If you blow your license it'll only be one time. You're allowed 3 violations per month, IIRC.
This is not an option. If I do that I will exceed 3 violations per month.
Ok. how much data I can index above the limit in a single day?
as much as you want
you can index terabytes of data in a day and count as 1 warning
@richgalloway answer is correct IMHO
Ohh cool. I didn't know that. Thanks