Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why a new warning about daily indexing volume exceeded?

wsw70
Communicator
‎02-13-2013 12:42 AM

I got yesterday a warning about daily indexing volume exceeded. The warning was correct, I made a mistake with one of the data source. This was corrected yesterday.

This morning I see two warnings: a permanent one (the one from yesterday) and a current one (the same I saw yesterday). How come it is re-issued since I do not see anything suspicious in the view suggested by the docs?

The view for yesterday was:

series  sum(MB)
vsec2dsy    1920.6647500677
ips_cisco   132.3562946397
_internal   61.512698216
trendmicro  18.6259823111
_audit  4.6508560657
main    0.9820251170
iwsva   0.8498468754
nessus2 0.174271584
officescancompliance    0.132205010

I have a license for 1GB, exceeded by the vsec2dsy index.

The view for today:

series  sum(MB)
ips_cisco   64.9516515819
_internal   23.472163197
trendmicro  5.9117831667
_audit  1.2491817557
vsec2dsy    0.379042632
main    0.234364522
iwsva   0.120780947

So everything is fine.

Why the warning then?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...