- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: Index Limit Reached
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index Limit Reached
I am a new user and just today created a new @indows 2008 R2 server and installed using the following script:
msiexec.exe /i splunk-6.0-182037-x64-release.msi AGREETOLICENSE=Yes INSTALLDIR="E:\Program Files\Splunk" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 REGISTRYCHECK_LM=1 REGISTRYCHECK_BASELINE_LM=1 WMICHECK_CPUTIME=1 WMICHECK_LOCALDISK=1 WMICHECK_FREEDISK=1 WMICHECK_MEMORY=1 LOGON_USERNAME="DOM\DOMSPLUNK" LOGON_PASSWORD="asd34I2Wy" LAUNCHSPLUNK=1 INSTALL_SHORTCUT=1 /quiet
As soon as my install was successfully completed I logged into the web interface and noticed that my limit was reached due to the monitoring of my local event logs.
While I do not really have a good understanding of what the limit really means and how it effects my searches I would appreciate any advice. So far I have about 10 minutes of post install experience with the product.
Looks cool though.
-Ajay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since this was a fresh Splunk install on machine that has been running for some time, I guess that the combined amount of all logs that you monitor exceed the 500MB/day limit that the 'Free' and 'Download Trial' licenses allow. So the first time Splunk starts up, it will consume all historical log entries for the specified log sources, and depending on your configuration for log file retention, that can be a lot.
Most likely, this will not be the case in the days to come, unless you have a very busy system. And you are allowed to have 3 license warnings within the last 30 days (rolling).
BTW, Welcome to Splunk! Hope you enjoy the ride.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk/etc/apps/MSICreated/local you should find an inputs.conf file that will contain the configuration for monitoring your local event logs. Change disable from 0 to 1 for the events you don't want, and restart Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Kristian for your quick response. I will limit my inputs and hope that the indexer is good to me.
Is there a method for me to remove the data collected from the local event log? The local machine (splunk server) event log data is not of interest to me.
-Ajay
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
