topic Re: splunk license usage question in Security

splunk license usage question

ananthan123 — Tue, 29 Sep 2020 15:13:18 GMT

Hello,

I have a question about forwarder and log indexing.

How often forwarder pushes the data to Indexer? How do I modify the time?

How do I know what are the events and logs are taking affect on licence usage?

Are these splunk log files push to indexer? And does it affect on licence usage?
$ sudo ls /opt/splunk/var/log/splunk
audit.log first_install.log metrics.log.5 splunkd_stderr.log
btool.log license_usage.log mongod.log splunkd_stdout.log
conf.log metrics.log remote_searches.log splunkd_ui_access.log
django_access.log metrics.log.1 scheduler.log splunkd-utility.log
django_error.log metrics.log.2 searchhistory.log web_access.log
django_service.log metrics.log.3 splunkd_access.log web_service.log
export_metrics.log metrics.log.4 splunkd.log

Re: splunk license usage question

adonio — Thu, 03 Aug 2017 14:41:08 GMT

hello there,
everything that is being indexed in internal indexes, meaning indexes that starts with an "_" (underscore) will not count against your license.
everything that is on the forwarder /var/log/splunk/ will not count against your license as default monitor for it is to go to internal indexes.
forwarder will tail files and send them to splunk. if you are using "monitor" for inputs, there is no interval set. when new line is added to the monitored file, the forwarder reads it and sends it to indexer.
hope it helps

Re: splunk license usage question

ChrisG — Thu, 03 Aug 2017 14:49:39 GMT

The log files in index=_internal do not count against your license quota. See What Splunk software logs about itself in the Troubleshooting Manual for more information about Splunk platform logging.

For all practical purposes, the forwarder works continuously. There are some attributes related to timeout intervals and load balancing that you can set in the outputs.conffile. See Configure forwarding with outputs.conf in the Forwarder Manual.

Re: splunk license usage question

gcusello — Thu, 03 Aug 2017 15:19:56 GMT

Hi
answering to your question:

by default 30 seconds, you can modify it changing the autoLBFrequency parameter in forwarder's outputs.conf (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf?r=searchtip),
all indexed logs affect license usage, it's possible to filter data before indexing (see http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad) and the filtered logs doesn't affect license.
Internal Splunk logs don't affect license.

Bye.
Giuseppe

Re: splunk license usage question

ananthan123 — Thu, 03 Aug 2017 16:05:19 GMT

thank you for all of you. I would like to accept all of your answers. Can I accept all or need to accept one?

Re: splunk license usage question

aaraneta_splunk — Thu, 03 Aug 2017 16:09:29 GMT

Hi @ananthan123 - Please accept the best answer so your question will be marked as resolved. But you can up-vote the other answers as well, that way these users will know you're appreciative of their help 🙂 Thanks and Happy Splunking!