Installation

Why Splunk did not warn when running out log size?

jw44250
New Member

I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data. in any file system if there is no space you will get warning but u will not lose your data....for example ...let say having folder in window, linux with 200MB occupied, when the next data is added -- warnig will pop up with some message..

I am not sure about how SPlunk does it..but i think ...what it does..the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen... the data will moved with these stages now and than the old data that x bucket will be replaced with new data so the existing data is lost ...to increase 5GB to 10GB - 20 GB what is the point ...again it can happend...

Guys -- I am not Splunk Admin...just normal user. but I dont get a good answer so far...

0 Karma

inventsekar
Ultra Champion

the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen

the correct four stages are hot---> warm ---> cold ---> frozen.

I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data.
you mean the daily license limit of 5GB ? or some other log limit?
maybe, you have not lost any data. (just not able to search, maybe)
also, what version of Splunk?
this issue is bit confusing.. some more clear info please.

0 Karma

jw44250
New Member

SPlunk has retention period and allocated storage as. ..there are fields called max-daily usages, etc ...yes i lost data otherwise i would not raise this question....

Max-daily usage is 5GB if you go above that then u will lose data..i'm about sure about Splunk version

0 Karma

inventsekar
Ultra Champion

Max-daily usage is 5GB if you go above that then u will lose data
seems like, daily license limit is 5GB and if you go above the 5GB, you will get license warning, data will be still indexed.
i'm about sure about Splunk version
i think you mistyped. to check your splunk version, on the login screen, lower part you could see like -
"@ 2005-2017 Splunk Inc. Splunk 6.3.4 build cae2458f4aef "

0 Karma

jw44250
New Member

© 2005-2017 Splunk Inc. All rights reserved.

0 Karma

jw44250
New Member

Splunk Version 6.5.2.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...