Hi,
Im using the free version of splunk and yesterday i went over my limit of /var/adm/messages being indexed. This was fine because i fixed the issue spamming my messages file. However today at 1am splunk tells me that for today i have also already exceeded my index max of 500mb. Now i checked the kb per hour and the messages file itself and i havent recieved but about 10mb of messages today and splunk thinks ive exceeded my max. Can anyone help me figure out what is causing this ? I have some info below to help but it almost seems that splunk re-indexed my /var/adm/messages file as the index amount was the same for yesterday and today when the error first showed up.
lunk help list" for usage and examples.
root@dtoaudit1:/opt/splunk/bin# splunk show license
Product: Splunk Server (free)
License Level: 500 MB/day peak indexing
Peak Usage: 1.11 GB/day
Peak %: 2.3%
Expiration Date: 07/14/2017
Time Remaining: 2819 days
root@dtoaudit1:/opt/splunk/var/log/splunk# tail -5 license_audit.log
10-23-2009 15:59:17.004 INFO LicenseManager-Audit - Audit:[timestamp=1256327957 quotaExceededCount=0, lastExceedDate=0, peak=9438122, rolloverCount=104, totalCumulativeBytesAtRollover=17827282][GC8cB2ATTFppq2MJI3SbAzWLzXRrwfGqxNRmTb6zNwSgHVjwOejxiUEXUjrk4ROmG2jWtzylzq1yNyBLWMa6qDov8yEDBAIF9aQtWDEq1k71onkbyUXReW/IYAZOpp4/5QZmG4GZ5jEN+OeBg7uibYBCGKVoZksugPBiZHTXnvEsQiLGAZw8I7PVtPvs/Ze1DtXfP2Yqvg8nGE81k4t6VQWRq8HXogL5H908U2NdP5d76qV+UdjrJOhj9dE+f3Xk9lDCoXvScfIzNAEcRDdBL6QujdaK79hEHiQ90CoqXO9zxSA7wZnmIJB5eCiZKnyuiCzge3EymOUmTq5ULmc9HQ==]
10-24-2009 00:00:02.903 INFO LicenseManager-Audit - Audit:[timestamp=1256356802 quotaExceededCount=0, lastExceedDate=0, peak=1192285838, rolloverCount=105, totalCumulativeBytesAtRollover=1210113120, todaysBytesIndexed=1192285838][mV+Z0R5h2py5swdV4nba3R+1lxUwvBI6nU019qh7P1gEi+2RJHTO5QAltmMWYu4PSWNiWr6Qvz+RQEmSrqjt4WcQXRSKXWYcdVI2EqXccmH4xSodq2RLyMz89q1Sv6An6RfkSwGMHsYBY0IJv2OY0OgnkEZjHgtXp8qDikOo0KWLN8bO0eNHxkNmEQMXh9ZUA2J+1rAcMvbNs8eZA8WeqdRUvEyswcJ8yRV7Vcl8S81h+XHMMIHNa82l8EcOFnu3zUJhiZOO269G7NwBPuIlGsvyDjWpJKpL8kpt7el50aw/O/wR88N16Ls5hVbwwDOOTvPWsNMIG7snDQqN3Lq8eQ==]
10-24-2009 23:39:19.223 INFO LicenseManager-Audit - Audit:[timestamp=1256441959 quotaExceededCount=1, lastExceedDate=1256356802, peak=1192285838, rolloverCount=105, totalCumulativeBytesAtRollover=1210113120][Ng9SEMPzRqg0+2TkqYAd+TnRtAADS61v1wsrHgD6R+wtHfx/SwL+2dh6JJNaVUa1ny1nGXUeUk5CIgKgDUVUhqlY82dahCvbKgpf4Oh2H+58TUxWW/OcAiaq+aD+R25L8DaThzVXbKKgY7iG4uuwlp/cEeZyeGrTrOFLcojVGfR551UHbGqEIfLp7gBAPYbUQPhyEE5ivBW4ylGOPd5rnn3SreZFwXkSOoXmuKrFRQ3VBK4uptIEeqBSg1f/dwCaOczPqvwNJyK9B8ktpsxjqjHtO6vtT+6WwIeaiBnuEncPg/gUHWfrQCp66gzPLcbVc5+1kOIZTtFm8L4TDFbOug==]
10-24-2009 23:46:09.353 INFO LicenseManager-Audit - Audit:[timestamp=1256442369 quotaExceededCount=1, lastExceedDate=1256356802, peak=1192285838, rolloverCount=105, totalCumulativeBytesAtRollover=1210113120][hDsUbiArxINXeXnxg/Xynr+kLjzm4w9B7PMRGrKz1px0/xyXHj5Jgs+WZsdtXCIQBTXrb2VX+AmogZJOMe3CtsMTmKaAPT+lCk7ZYB89YQaxkpba3LIKOJbKPaoKnoPsQfREm9JUnABDdKljZu9OyaIj3WqJabb5Drd36Uz5cvj1UY5Mmb0E+rSkF/lu40fNbQoKPYXorrCyXKUAwmdXWjxoZK7K3Ohsw6eN47WCoPmClfq1QC2i9MCHJz4t2hM+Q3utYlEY9CyplEwHYswzrE1s9ica1L2Sfb8CcfbNp4pKNHVwKESjmL8i5gMGQks46lMPn4cVLs8dN6thLYlmPw==]
10-25-2009 00:01:18.747 INFO LicenseManager-Audit - Audit:[timestamp=1256443278 quotaExceededCount=1, lastExceedDate=1256356802, peak=1192285838, rolloverCount=106, totalCumulativeBytesAtRollover=2399253519, todaysBytesIndexed=1189140399][gkpI7dtTn2nPPkYJFF5c1zeUoe6m5euX7xVTNV9lUQ0VHSguj0cj9/pOZ2NDATTLi7g4qrCr9qtOVSBySbbmA4xi9onz/dQr3SNentmN+oF8R9J3STw3lJ5XDyuEroDiJsjmori1NS21+O/8b8KGSyCwDZqJuFNOKlFCFcpFep8oRFi8D7zeJTD/gW0gTSFt83W3zSK9L7jpFF09vE1jboDj6g+Axn2TPUgriFBLGioFVa59UsSimGzQiXQXw/intMaAImGtczKfqYtLY2rc5Bw6G1damM82Vlhgq7eW3vyZoC8QvGxZhN1U7gYg0DM1cKZ3wJDbAZQiHCjoQ8j/Mg==]
root@dtoaudit1:/opt/splunk/var/log/splunk# s^C