I am still on a trial of the enterprise version. I have one central splunk server and several forwarders setup.
This morning Splunk says: Daily indexing volume limit exceeded.
Can I back track and remove something?
I have one file that was added directly as a input to splunk that generated a lot of traffic. I tried sourcetype=<> | delete but it seems to struggle deleting >20M events.
Is it something I'm doing wrong?
Can I setup Splunk to prune indexed data older than X and I just missed that setting somewhere?
Unfortunately there is no way to reverse/unindex data that caused you to violate the license. Search should still work, as should indexing -- you can violate the license a few times in any given 30 day period and still have a working system.
Even if you adjust retention times, this will not affect your indexing license. The licensing model is based on daily index volume, not total indexed volume over all time.
answered 03 Dec '10, 15:28