Solved: Controlled license violation - read a single huge ...

FRoth · ‎08-20-2013

We received a log file containing incident data that has more than 30 GB.
Our license allows a daily indexing volume of 10 GB.
What would happen if we indexed the whole file? I suppose that we would trigger a single license alert, isn't it?

Is there a limit that disables splunk completely, let's say if we would index a file of 60GB on a single day or 80 GB?

rturk · ‎08-20-2013

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

View solution in original post

rturk · ‎08-20-2013

You get up to 5 violations in a rolling 30 day period. This gives you the flexibility to do the occasional large file (such as your 30GB file) without impacting your ability to use the platform. There is no maximum file size that would disable Splunk completely, although you just need to be sure that your servers can index the volume of data you want to.

In the event that you do exceed the licensing 5 times, Splunk won't stop indexing, but it will stop your ability to search against the data (incl. summary & scheduled searches). This would also impact dashboards as they are populated by searches.

Hope this helps 🙂

Controlled license violation - read a single huge logfile

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life