All Apps and Add-ons

Splunk On Splunk increasing license usage?

bazcurtis
Explorer

Hi,

Over the weekend I upgraded Splunk from v4.2.4 to v5.0.3. I installed Splunk on Splunk and that has taken me over my 5GB license

Main was doing about 200MB-500MB a day and now it is 1.3GB to 2.5GB. Why does Splunk on Splunk take so much?

As it is really an internal tool for helping with the admin of Splunk should it really count against the license?

Best wishes

Michael

hexx
Splunk Employee
Splunk Employee

I highly doubt that the S.o.S app is responsible for this increase in license usage because:

  • Although the app ships with two scripted inputs, these are not enabled by default.
  • Those scripted inputs (ps_sos.sh and lsof_sos.sh) write to the dedicated "sos" index.
  • The amount of data generated daily by those inputs is roughly between 50 and 75MB per instance where they are enabled.

The cause of your increase in indexing must be related to the upgrade to 5.0.3. Perhaps the Metrics view in S.o.S can help you figure out which sourcetype, source or host is responsible for this increase.

bazcurtis
Explorer

I think I might have found it. I think it is the Windows app and Splunk is being indexed. Will leave it over night and see what happens.

Appreciate the feedback.

0 Karma

hexx
Splunk Employee
Splunk Employee

I will re-iterate my previous recommendation to use the Metrics view in S.o.S to attempt to determine what characterizes the data that increased in volume since the upgrade to 5.0.3. If you feel uncomfortable doing so and hold an Enterprise Support entitlement, you can open a support case to get some assistance.

0 Karma

bazcurtis
Explorer

Hi,

Thanks for the feedback. I have attached two screenshots. As you see SoS didn't make any difference as I turned it off for the last two hours.

https://dl.dropboxusercontent.com/u/262417/splunk.zip

As you can see, something happened to index main and aplsplunk which is the splunk server. The upgrade was done on the 25th.

Best wishes

Michael

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...