All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How will the S.o.S. - Splunk on Splunk app impact my license usage in a distributed search environment?

shahneel
Path Finder
‎09-07-2015 09:40 AM

I tried to search this, but didn't seem to find an answer. I understand that all the logs that come to a Splunk Indexer from _INTERNAL does not count under Splunk licensing.

I have a distributed architecture in my Organization with Multiple Search Heads, Dispatchers, Indexers, and Forwarders, and I want to Start System Health Check using S.O.S. App. However, will this add additional data to indexer since the performance data from other servers (Forwarders etc) also needs to be indexed?

Can somebody please throw some light on this topic?

Thanks In advance

Best Regards,
Neel Shah

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-08-2015 11:12 AM

The S.o.S app ships with two scripted inputs ( ps_sos.sh / ps_sos.ps1 and lsof_sos.sh) that gather process-level and resource usage information. These data input:

  • Are not enabled by default.
  • Write to the dedicated "sos" index.
  • Generate roughly between 50 and 75MB per instance where they are enabled, which is counted against your daily license quota.

That being said, please note that as of Splunk Enterprise 6.2 you can now use the Distributed Management Console (a built-in feature with no license quota impact) to get much more visibility of your Splunk deployment than you would with S.o.S.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-08-2015 11:12 AM

The S.o.S app ships with two scripted inputs ( ps_sos.sh / ps_sos.ps1 and lsof_sos.sh) that gather process-level and resource usage information. These data input:

  • Are not enabled by default.
  • Write to the dedicated "sos" index.
  • Generate roughly between 50 and 75MB per instance where they are enabled, which is counted against your daily license quota.

That being said, please note that as of Splunk Enterprise 6.2 you can now use the Distributed Management Console (a built-in feature with no license quota impact) to get much more visibility of your Splunk deployment than you would with S.o.S.

Reply
Solved! Jump to solution

hortonew
Builder
‎09-07-2015 09:03 PM

The S.o.S. app by default does not have any inputs enabled, so it shouldn't affect your license at all. The app has built in functions to analyze your environment with the data that is already present.

You can however enable the scripted inputs present in inputs.conf, which may impact the license a little (not a lot).

0 Karma
Reply
Solved! Jump to solution

shahneel
Path Finder
‎09-08-2015 01:06 AM

I am not really sure about this, the reason being that i am using DISTRIBUTED Architecture. If i was using Single Server instance, then mabie there would hav been no data consumption. Since indexing of _INTERNAL Logs are not a part of License.

But the tricky part is when data from other Forwarders flow to Indexer. I am not sure if that is part of license.

If you can guide me on that ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...