All Apps and Add-ons

Can I learn more about the internal structure for measuring Splunk license usage?

kannu
Communicator

What is a mechanism behind splunk which lets the splunk to calculate the license:
For example if i am forwarding the data to indexer and indexer is indexing the data and splunk is checking how much data is indexed as per license that mechanism i know . But what i want to ask is what is the internal mechanism in back end that's is being followed like if my indexer indexed 2 gb data and my license capacity is 10 gb , so where is the two value being compared is somewhere splunk store the remaining left out 7gb license capacity value in some conf file or something else.

SPlunker, i repeat how license works i know . But what i am asking what is the internal mechanism .

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If you you use 2GB out of your 10GB license, you will have 8GB of daily capacity left, not 7... 😉

I have to ask: Why do you need to know anything about how the product works internally, other than your licensed capacity is encoded in the license key and actual usage evaluated dynamically based on what the indexers report.
Trying to understand what you are trying to achieve.

0 Karma

kannu
Communicator

@ssievert

I am trying to achieve how splunk internally calculates the left out license capacity what is the method it is following

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

We determine once a day whether you have exceeded your daily licensed limit based on internal logs. If you did, you get a UI warning. We don't really calculate "what's left", we just calculate "have you used more than your daily allowance".
BTW: As of 6.5.0, we no longer disable search, but you have to get a different license key from your Splunk account manager to enable that.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

At a high level, they track and store how much data is being indexed at all times, and periodically compare how much you have indexed to how much your license says that you can index. If you exceed your licence, you get a warning from the system. If you exceed the license a certain number of times in a 30-day period, then searches are disabled until the situation is handled, either by the overuse timing out, or by splunk helping you get your license reinstated and the issues cleared.

The data is sent by the indexers to be stored here -

  index=_internal source=*license_usage.log*

(Okay, that was sloppy phrasing, they probably actually just add their own records to themselves that are LABELED as being on that _internal index...)

The compare to your license itself seems trivial, since that data is all in one place.

I'm not privy to all the technical underpinnings of how the architecture prevents people from monkeying with the usage numbers, or what happens if someone does, and I highly doubt that splunk is going to discuss on this forum the internal architecture of the license mechanism itself. That's proprietary, confidential, trade secret, and a bit like asking a bank to discuss the combination to the safe.

However, if I wanted to research more specifics about where (and in what form) all the license usage data was stored, I'd start with the screens referenced here...

http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/AboutSplunksLicenseUsageReportView

What is your use case that requires you to know more detailed information about this subject?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...