- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Does the indexing of Splunk internal logs such as ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the indexing of Splunk internal logs such as metrics.log count against our license?
When running
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
to find indexing volume per host, to my surprise, the Splunk host appears in second. Is that right? Does the indexing of the metrics.log file hit my license usage?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
metrics.log is measuring the thruput of data being actually being indexed by Splunk, as a measure of how well your input and indexing pipelines are performing. The metrics.log file itself is indeed indexed to the _internal index because you can run a splunk search and have it show up.
However, this data and the other data indexed by Splunk about Splunk in _internal and _introspection and a few other indexes, does not actually count toward your license. Additionally data that is indexed by Splunk out of summarization queries run against other Splunk data and written into Summary Indexes is additionally not counted toward your license, however it is possible to configure your Splunk Server(s) to have inputs of their own and pick up data that isn't about Splunk itself, thus would actually count toward your license.
To figure out actual license impact (instead of performance metrics) you'll want to look on your license master, there should be a search called the "License Usage Data Cube" which helps build breakdowns and the License Usage Report View which will let you see the actual license impact against various indexes and hosts. (You should read the documentation page because there is squashing behavior that could take place in the data sent to the license master from each indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you guys for the answers. I'm bit new to Splunk, is there somehow simple to find out who is sending more data? Since a week ago I'm getting licenses violations and I'm not able to find who is sending the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the License Usage Report View http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/AboutSplunksLicenseUsageReportView like @acharlieh suggested
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal Splunk logs do not count against your license usage, however, the data is still going to be searchable since you are specifying the _internal index.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
