Monitoring Splunk

Can I set a limit on the license usage for an index per day?

Rotema
Path Finder

Hi,

I have Splunk running with several indexes configured.
I want to limit one index (index=dev) so it will not use more than 1GB of the total license (10GB) per day.
Can anyone help and explain how to achieve this?

Thanks,
Rotem

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

This isn't possible. Splunk will not stop indexing data unless it runs out of disk space.

Instead it disables search after you violate the license 3-5 times (depending on your version) in a rolling 30 day period.

You can segregate the license into pools so that if a pool violates, only its search is disabled, but you can't stop Splunk from indexing data.

In short it's because they never want you to lose data.

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Aboutlicenseviolations

View solution in original post

0 Karma

woodcock
Esteemed Legend

The only way to do this is to stand up an indexer that ONLY takes events for index=dev. Then have Splunk support fracture your license to carve of a 1GB license that you apply ONLY to this dev indexer. The problem with this approach is that your 1GB license will ONLY be for index=dev (not shared for other purposes).

0 Karma

jkat54
SplunkTrust
SplunkTrust

This isn't possible. Splunk will not stop indexing data unless it runs out of disk space.

Instead it disables search after you violate the license 3-5 times (depending on your version) in a rolling 30 day period.

You can segregate the license into pools so that if a pool violates, only its search is disabled, but you can't stop Splunk from indexing data.

In short it's because they never want you to lose data.

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Aboutlicenseviolations

0 Karma

Rotema
Path Finder

Hi, thanks for the answer.

So if I go and create a new license pool and max it to 1GB (like in the photo in link below):

http://postimg.org/image/go41qziox/

how do I set index=dev to send data only to this pool?

Thanks,

0 Karma

Jeremiah
Motivator

Also keep in mind the license is set on a per server (indexer) basis, not by index. If you truly wanted to limit the index to a specific license limit, you would need to setup the index on its own server (or at least a separate splunk instance).

0 Karma

jkat54
SplunkTrust
SplunkTrust

Start here:
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Manageyourlicenses

Make sure you read this subsection thereof:
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Groups,stacks,pools,andotherterminology

 A license pool is made up of a single license master and zero or more license slave instances of Splunk configured to use licensing volume from a set license or license stack.

In short, when you configure licensing on the Splunk instances you specify which license server to use, and then create the pools. So if you setup indexer 1 and point it to license master 1, then it will use the licenses provided by that license master.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Here's how to specifically add an indexer to a pool:

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Addanindexertoalicensepool

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...