Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does the indexing of Splunk internal logs such as metrics.log count against our license?

jairjr
Path Finder
‎08-28-2015 01:01 PM

When running

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

to find indexing volume per host, to my surprise, the Splunk host appears in second. Is that right? Does the indexing of the metrics.log file hit my license usage?

Labels (1)
Labels
Reply

acharlieh
Influencer
‎08-28-2015 01:45 PM

metrics.log is measuring the thruput of data being actually being indexed by Splunk, as a measure of how well your input and indexing pipelines are performing. The metrics.log file itself is indeed indexed to the _internal index because you can run a splunk search and have it show up.

However, this data and the other data indexed by Splunk about Splunk in _internal and _introspection and a few other indexes, does not actually count toward your license. Additionally data that is indexed by Splunk out of summarization queries run against other Splunk data and written into Summary Indexes is additionally not counted toward your license, however it is possible to configure your Splunk Server(s) to have inputs of their own and pick up data that isn't about Splunk itself, thus would actually count toward your license.

To figure out actual license impact (instead of performance metrics) you'll want to look on your license master, there should be a search called the "License Usage Data Cube" which helps build breakdowns and the License Usage Report View which will let you see the actual license impact against various indexes and hosts. (You should read the documentation page because there is squashing behavior that could take place in the data sent to the license master from each indexer.

Reply

jairjr
Path Finder
‎08-28-2015 02:15 PM

Thank you guys for the answers. I'm bit new to Splunk, is there somehow simple to find out who is sending more data? Since a week ago I'm getting licenses violations and I'm not able to find who is sending the data.

0 Karma
Reply

MuS
Legend
‎08-28-2015 04:11 PM

Check the License Usage Report View http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/AboutSplunksLicenseUsageReportView like @acharlieh suggested

Reply

tlelle_splunk
Splunk Employee
Splunk Employee
‎08-28-2015 01:30 PM

Internal Splunk logs do not count against your license usage, however, the data is still going to be searchable since you are specifying the _internal index.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...