Refine your search:

Setting a maximum limit on a monitored file

0

We just had an application bug that spewed millions of duplicate messages into a Splunk monitored logfile. This caused a license violation to be triggered, before anyone could do anything about it.

In order to prevent this type of violation from happening we are considering putting a hard limit on the maximum logfile size Splunk can index. Most of our logfiles are normally apx < 300MB daily. So if we have a logfile that has > 500MB, we want to ignore anything else that is logged to the file after 500MB.

Is it possible to put such a hard byte limit on a monitored logfile or input source?

I've seen some answers that suggested putting a maxKBps datatransfer per second limit (in limits.conf), this one option, but perhaps some other option in Splunk could be used as well?

asked 03 Feb, 17:48

genemats's gravatar image

genemats
211
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×28
×15
×7
×2

Asked: 03 Feb, 17:48

Seen: 264 times

Last updated: 03 Feb, 17:48

Related questions

Splunk Light Forwarder - Maximum file size for a monitored file?

maximum file size?

Maximum row limit squashing lookup

How can I limit outputcsv file size?

setting maximum input/log entry size

Why do I still get "Daily indexing volume limit exceeded" violation if we hard limit my overall index size to 500mb?

key/field size limit

Syslog data from UDP. Maximum message size?

Splunk goes over limit when it monitors a shared log file

Copyright © 2005-2012 Splunk, Inc. All rights reserved.