When we want to find some way to get the count of the quota exceed event, we might find this page “Splunk > Wiki : Community:TroubleshootingIndexedDataVolume Troubleshooting Indexed Data Volume”.
Then we could use the following to get the count.
1 2 3 4 5 |
index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff>0 |
But in my case, I only want to know the last value of the quotaExceededCount. So I modified it.
1 2 |
index=_internal licensemanager | stats first(quotaExceededCount) by host |
Finally, I would use the quotaExceededCount value to judge is not able to import data.