Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Licence issue

sankarr
New Member
‎08-21-2012 05:50 AM

Hello,
i am using splunk enterprise (trial) 4.3.3 version.i have indexed the real time log using splunk and scheduled two search alerts for every 4 hours. The file size not reached 500mb but got warning message like limit exceeded twice. is that something i have not indexed properly? if i get a licence will get a same problem right? i beleive other system default indexes utilizing more memory.how to avoid this?

Tags (1)
0 Karma
Reply

sankarr
New Member
‎08-21-2012 08:33 AM

Hello,

Thanks for your reply..i can index 500MB per day using the enterprise version.when i ran the query index volume exceeded twice.I am new to this tool..I have pointed the real time SIP log,every 4 hour serching the keyword ALARM. i believe it's serching from the top of the log file again and again..how to search tail lines in the runtime logs?

Thanks
Sankar

0 Karma
Reply

abhayneilam
Contributor
‎10-09-2012 11:33 AM

all the files of a particular folder is not getting imported automatically, only the first file is getting added..please suggest any solution !!

0 Karma
Reply

Sqig
Path Finder
‎08-21-2012 10:20 AM

I'm not sure I'm following.

With Splunk, you point it at a logfile and it consumes the entire file. It then continues to consume new lines as they get added to the log file. So you are actually indexing the full volume in the file, not just whatever your results of searches are.

0 Karma
Reply

Sqig
Path Finder
‎08-21-2012 07:22 AM

When you go to Manager -> License, what does it show as your daily volume?

My guess would be that you may be Indexing things you are not aware of.

What does Splunk thing you indexed? Try searches like these to check your daily indexing volume totals or volume sorted by index or sourcetype. This will help you confirm that you really are not Indexing more data than 500MB per day.

Total:

index=_internal per_index_thruput earliest=-7d@d latest=now | timechart span=1d eval(sum(kb)/1024) as "Daily Indexing Volume in MB"

By Index:

index=internal metrics kb series!=* "group=per_index_thruput" daysago=7| eval indexed_mb = kb / 1024  | timechart fixedrange=t span=1d sum(indexed_mb) by series

By Sourcetype:

index=internal metrics kb series!=* "group=per_sourcetype_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series

Edit: Original was in GB... I converted to MB for this post.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...