Solved: Still getting license violations on my search head...

mctester · ‎04-30-2010

I had the Unix app running for a while on this instance and that was indexing a lot of data so I disabled the 'os' index.

The only indexes I can see with any data going to them are the _internal and summary indexes, which shouldn't count against the license volume, right?

Mick · ‎04-30-2010

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

View solution in original post

Mick · ‎04-30-2010

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

Still getting license violations on my search head, even with 4.0.10

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...