https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108038#M22728 <P>Thank you!!!</P> Mon, 21 Oct 2013 21:27:35 GMT jviteka 2013-10-21T21:27:35Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108032#M22722 <P>My Splunk License Usage app is showing that my SPLUNK server is using 26% of my license(From "main"). Is there any way to make this smaller?</P> Mon, 21 Oct 2013 20:35:31 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108032#M22722 jviteka 2013-10-21T20:35:31Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108033#M22723 <P>I know that I can remove the monitor from /opt/splunk/var/log/splunk/*.log but would that be a good idea?</P> Mon, 21 Oct 2013 20:38:39 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108033#M22723 jviteka 2013-10-21T20:38:39Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108034#M22724 <P>It would make no difference. These logs go to the <CODE>_internal</CODE> index and do not count against your license.</P> Mon, 21 Oct 2013 20:42:08 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108034#M22724 Ayn 2013-10-21T20:42:08Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108035#M22725 <P>So when i look at my domain host "SPLUNK01.My.Domain" and "main" they dont count against my license? Why does the "License Usage" app on the matrix they show?</P> Mon, 21 Oct 2013 20:51:15 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108035#M22725 jviteka 2013-10-21T20:51:15Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108036#M22726 <P>Internal Splunk logs aren't sent to 'Main'. they're sent to '_internal' and aren't applied to your license. If you have data going into Main, it's because of inputs you may have set up. </P> <P>Recommend looking at the data in your main index and making determinations from there.</P> Mon, 21 Oct 2013 21:02:54 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108036#M22726 emiller42 2013-10-21T21:02:54Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108037#M22727 <P>Splunk indexes its internal logs (for example, <CODE>splunkd.log</CODE>) into an index named <CODE>_internal</CODE>. This index does <EM>not</EM> count as part of your Splunk license. Splunk does not add any data to the <CODE>main</CODE> index. So disabling Splunk's logs will not save you anything - as Ayn points out.</P> <P>Everything in the <CODE>main</CODE> index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.</P> <P>If you are monitoring the Linux or Windows system where Splunk is running - which is probably what <CODE>SPLUNK01.My.Domain</CODE> is - these are <EM>not</EM> Splunk internal logs. These are just regular system logs. These logs could be indexed in the <CODE>main</CODE> index or the <CODE>os</CODE> index or whatever - but these logs <EM>do</EM> count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs <STRONG>will</STRONG> decrease your Splunk license usage.</P> <P>People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.</P> Mon, 21 Oct 2013 21:03:34 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108037#M22727 lguinn2 2013-10-21T21:03:34Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108038#M22728 <P>Thank you!!!</P> Mon, 21 Oct 2013 21:27:35 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-index-main-logs/m-p/108038#M22728 jviteka 2013-10-21T21:27:35Z