Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

'daily indexing volume limit exceeded' still showing up after removing reference to large data source

gmodeloh
Engager
‎12-06-2011 09:09 AM

Have Splunk v4.2.4 installed as stand-alone (trial license).

Imported a huge file and got the 'daily indexing volume limit exceeded' message. Removed the reference to the huge file by going to Manager --> Data Inputs --> Files & Directories and deleting the reference. A day later and the 'daily indexing volume limit exceeded' message still shows across the top of Splunk Web. On Manager --> Licensing shows 0% of quota volume used today but with a new alert '1 pool warning reported by 1 indexer, correct by midnight to avoid violation'.

What am I missing? All roads have let me to the Admin Manual, About License Violations page (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations) which doesn't seem to help me fix the problem and prevent a new violation. Any ideas, much appreciated.

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎12-06-2011 09:18 AM

Hi, in that link read in particular;

Violations occur when you exceed the
maximum indexing volume allowed for
your license. If you exceed your
licensed daily volume on any one
calendar day, you will get a violation
warning. The message persists for 14
days

So it will go after 14 days without a violation 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎12-06-2011 09:18 AM

Hi, in that link read in particular;

Violations occur when you exceed the
maximum indexing volume allowed for
your license. If you exceed your
licensed daily volume on any one
calendar day, you will get a violation
warning. The message persists for 14
days

So it will go after 14 days without a violation 🙂

Reply
Solved! Jump to solution

gmodeloh
Engager
‎12-06-2011 09:38 AM

Thanks Draineh. What confused me is that today I have another 'correct by midnight' message. But guess your point is to check the 'volume used today' after making changes.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...