Solved: Splunk indexing question

ananthan123 · ‎08-02-2017

Hello,

I'm trying to read how splunk indexing and usage works and still couldn't figure it our. Here is an example, we have around 3GB log file we need to analyze every 15 minutes, if we do search entry and if we get result of 5kb results of data, How would it show in usage?

gcusello · ‎08-02-2017

Hi ananthan123,
about indexing, Splunk indexes all the logs that it receives from all the inputs (local or remote) and license counts the daily volume of indexed logs.
In searches, Splunk shows the all the events that matches the search terms: if you have few events you have few traffic, if you have many events you have more traffic, aniway searches don't affect license consuption, they are important only in infrastructure capacity planning.
Could you share more details about your needs?
Bye.
Giuseppe

View solution in original post

ananthan123 · ‎08-02-2017

Thank you very much Giuesppe.

gcusello · ‎08-02-2017

Hi ananthan123,
about indexing, Splunk indexes all the logs that it receives from all the inputs (local or remote) and license counts the daily volume of indexed logs.
In searches, Splunk shows the all the events that matches the search terms: if you have few events you have few traffic, if you have many events you have more traffic, aniway searches don't affect license consuption, they are important only in infrastructure capacity planning.
Could you share more details about your needs?
Bye.
Giuseppe

ananthan123 · ‎08-02-2017

Thank you very much. how does forwarder metric log and indexer metric log works? Forwarder pass the local metric.log data to indexer and indexer merges with local metric.log and then do the indexing?

gcusello · ‎08-02-2017

No indexer counts the really indexed logs, logs sent by forwarders aren't added to the license consuption.
Infact you can filter logs received by indexers before indexing and discarded logs don't consume license.
At the same time Splunk internal logs are indexed but not added to the license consumption.
Bye.
Giuseppe

ananthan123 · ‎08-02-2017

Thank you, when you say internal logs, does it mean indexer's log files? for an example metric.log file?

gcusello · ‎08-02-2017

All Splunk logs of all Splunk servers, also Forwarders.
Bye.
Giuseppe

ananthan123 · ‎08-02-2017

Thank you so much Giuseppe. This is what I would like to know. If I understand correctly, If we do searches it won't affect license consumption. It will only calculate based on events and logs what we are indexing. Am I right?

gcusello · ‎08-02-2017

Yes, the total logs you daily indexed.
You can exceed the daily quota without a violation for 5 times in 30 solar days with a license and 3 times with the free license.
After you need a violation code to unlock your license (during violation logs are aniway indexed but you cannot run searches).
Bye.
Giuseppe
P.S. if your satisfied of this answer, please accept it.

ananthan123 · ‎08-02-2017

Yes, licensing usage.

richgalloway · ‎08-02-2017

What do you mean by "usage"? Are you referring to licensing or something else?

---
If this reply helps you, Karma would be appreciated.

Splunk indexing question

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!