Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why a new warning about daily indexing volume exceeded?

wsw70
Communicator
‎02-13-2013 12:42 AM

I got yesterday a warning about daily indexing volume exceeded. The warning was correct, I made a mistake with one of the data source. This was corrected yesterday.

This morning I see two warnings: a permanent one (the one from yesterday) and a current one (the same I saw yesterday). How come it is re-issued since I do not see anything suspicious in the view suggested by the docs?

The view for yesterday was:

series  sum(MB)
vsec2dsy    1920.6647500677
ips_cisco   132.3562946397
_internal   61.512698216
trendmicro  18.6259823111
_audit  4.6508560657
main    0.9820251170
iwsva   0.8498468754
nessus2 0.174271584
officescancompliance    0.132205010

I have a license for 1GB, exceeded by the vsec2dsy index.

The view for today:

series  sum(MB)
ips_cisco   64.9516515819
_internal   23.472163197
trendmicro  5.9117831667
_audit  1.2491817557
vsec2dsy    0.379042632
main    0.234364522
iwsva   0.120780947

So everything is fine.

Why the warning then?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wsw70
Communicator
‎02-19-2013 02:25 AM

Well, since the warning disappeared, it looks like there is a running 24h window for its presence (in the sense that if the issue appears at 16:00 on a given day it will stay until 16:00 the next day, even though the indexing counters are reset at midnight).

This is a guess but since there are no other inputs I will close the question as it.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...