All Apps and Add-ons

Why host with NULL hostname consumes most of the license and how to reduce its license usage?

AngelOps
New Member

We are getting alert about splunk license usage, when I login and go to deployment monitor - License Usage - By Host, I find the host which consumes most license(about 30GB everyday) has NULL hostname.
By clicking the NULL hostname, splunk jump to a search resulte "index="summary_hosts" | eval Mbytes = bytes/1048576 | eval _time = _time+1800 | rename my_host as host | search NOT host=*"

May I know what is it and is there anything we can do to reduce the usage of this host?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi AngelOps,

you cannot limit a host license usage directly, you need to create a license pool and add the host to this pool - see docs about create license pool.

Also check what kind of data/events this host is sending the most and if you need them at all, if not you could either exclude the data source on the host or nullQueue the data on the indexer - see the docs about Discard specific events and keep the rest.

hope this helps ...

cheers, MuS

bmacias84
Champion

Checkout my previous post. You should be able to use the license.log file.

http://answers.splunk.com/answers/135612/how-to-create-chargeback-reports-in-splunk?page=1&focusedAn...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...