Solved: Daily indexing volume exceeded.

smolcj · ‎11-08-2012

Hi all, I am sorry to ask you this question, which has already answered several times before.
Do i have to remove those indexed data before midnight. i failed to do it. will it be a issue later. or the message will disappear after 14 days?
Thank you

alacercogitatus · ‎11-08-2012

You should never have to remove or lose data for a violation. If you violate your license too many times, search will be disabled. The message will go away after a while, yes.

View solution in original post

DaveSavage · ‎11-08-2012

Check out: http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Aboutlicenseviolations

DaveSavage · ‎11-08-2012

Splunk (in my experience) are not mean on this subject. If you have 3 strikes in a calendar month then it will stop searches. Spikes due to initial start up / take-on are sort of expected because it is difficult to calculate with great certainty what you need. If your problem is recurrent and persistent then talk to sales.

DaveSavage · ‎11-08-2012

@sowings - absolutely correct, a slip of imprecision on my behalf there. Amended. Thanks

sowings · ‎11-08-2012

To be clear, it stops allowing search, except on the _internal index; it doesn't stop indexing.

alacercogitatus · ‎11-08-2012

You should never have to remove or lose data for a violation. If you violate your license too many times, search will be disabled. The message will go away after a while, yes.

Daily indexing volume exceeded.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability