how to avoid exceeded daily indexing volume limit ...

baalchina · ‎01-18-2013

hello everyone,

I am testing splunk, and add an iis server to splunk server. For this server had ran for years, about 12g logs in the it.

So I found splunk notice me

Daily indexing volume limit exceeded today.

very soon.

Beacuse this server cannot generate 500M logs in a single day, so in normal time everything will be ok, but what can I do if I add this server in the first time to avoid exceed daily limit?

Thanks.

jodros · ‎01-18-2013

You are allowed to burst above your daily indexing licensing limit 5 times in 30 days with an Enterprise license. A message will appear and remain for 14 days notifying you that you went above you daily licensing limit, but search will not be disabled. I usually just called into support and they can turn the warning message off. I find it is best to plan for adding servers with a large amount of backfill data, and add them all on the same day.

You can also add a limits.conf file to the IIS server Splunk config to throttle the amount of logs being indexed using the "maxKBps = integer" statement. For example maxKBps = 512 would limit the speed of logs being send to not exceed 512 KBps. Please notice that this is in Bytes, not bits as most networking notation uses.

jodros · ‎02-19-2013

baalchina, just checking in to see if you issue is now resolved.

thanks

jodros · ‎01-21-2013

baalchina, did the supplied answer resolve your issue? If so, please select it as the accepted answer.

Thanks

jodros · ‎01-18-2013

Did this answer resolve you question? If so, please mark it as the accepted answer.

Thanks

how to avoid exceeded daily indexing volume limit when adding new server?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!