Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why Splunk did not warn when running out log size?

jw44250
New Member
‎06-15-2017 05:50 PM

I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data. in any file system if there is no space you will get warning but u will not lose your data....for example ...let say having folder in window, linux with 200MB occupied, when the next data is added -- warnig will pop up with some message..

I am not sure about how SPlunk does it..but i think ...what it does..the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen... the data will moved with these stages now and than the old data that x bucket will be replaced with new data so the existing data is lost ...to increase 5GB to 10GB - 20 GB what is the point ...again it can happend...

Guys -- I am not Splunk Admin...just normal user. but I dont get a good answer so far...

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-15-2017 06:34 PM

the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen

the correct four stages are hot---> warm ---> cold ---> frozen.

I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data.
you mean the daily license limit of 5GB ? or some other log limit?
maybe, you have not lost any data. (just not able to search, maybe)
also, what version of Splunk?
this issue is bit confusing.. some more clear info please.

0 Karma
Reply

jw44250
New Member
‎06-15-2017 09:38 PM

SPlunk has retention period and allocated storage as. ..there are fields called max-daily usages, etc ...yes i lost data otherwise i would not raise this question....

Max-daily usage is 5GB if you go above that then u will lose data..i'm about sure about Splunk version

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-15-2017 10:46 PM

Max-daily usage is 5GB if you go above that then u will lose data
seems like, daily license limit is 5GB and if you go above the 5GB, you will get license warning, data will be still indexed.
i'm about sure about Splunk version
i think you mistyped. to check your splunk version, on the login screen, lower part you could see like -
"@ 2005-2017 Splunk Inc. Splunk 6.3.4 build cae2458f4aef "

0 Karma
Reply

jw44250
New Member
‎06-16-2017 10:00 AM

© 2005-2017 Splunk Inc. All rights reserved.

0 Karma
Reply

jw44250
New Member
‎06-16-2017 10:01 AM

Splunk Version 6.5.2.1

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...