split splunk license volume into pools

conorglynn · ‎02-03-2012

I have a 20gb splunk daily license.
regularly I go over my daily limit due to dev/qa activities.. so Im always battling to try to stay below the 20gb limit before I hit 5 violations in a 30 day period.
I would like to split my license into 3 seperate pools:
15GB for production
3GB for dev/qa
2GB for uat
I want to do this so dev/qa/uat would be limited to using 5GB a day and if they go over that 5GB a day then it will not eat into my production daily volume? will this work? if so will the dev/qa & uat pools still get 5 warnings in a 30day period before their search abilities are blocked?

conorglynn · ‎08-24-2012

Hi, no I never got an answer to this and AFAIK, you are unable to split your license daily usage into pools and then strictly limit those pool to usage limits. As you said you will only get alerted when a certain pool reaches its soft limit. You could setup a script on forwarders in your dev/qa pools to query the splunk api for its usage and when it reaches that daily usage to turn of the its forwarder, but watch out when the forwarder next starts to make sure it does not pick up everything from when it was running last.
Maybe somebody else is doing this in a better way and can comment ???

mwpower · ‎08-23-2012

were you able to find out anything about this? I've managed to configure my QA environment to use a different pool, but its a 'soft-limit' in that it'll throw me an alert, but just keep going ahead and eating through the rest of my license.

If there's a way to configure this as a hard-limit, it'd make things much easier.

split splunk license volume into pools

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM