I tried to search this, but didn't seem to find an answer. I understand that all the logs that come to a Splunk Indexer from _INTERNAL does not count under Splunk licensing.
I have a distributed architecture in my Organization with Multiple Search Heads, Dispatchers, Indexers, and Forwarders, and I want to Start System Health Check using S.O.S. App. However, will this add additional data to indexer since the performance data from other servers (Forwarders etc) also needs to be indexed?
Can somebody please throw some light on this topic?
Thanks In advance
The S.o.S. app by default does not have any inputs enabled, so it shouldn't affect your license at all. The app has built in functions to analyze your environment with the data that is already present.
You can however enable the scripted inputs present in inputs.conf, which may impact the license a little (not a lot).
I am not really sure about this, the reason being that i am using DISTRIBUTED Architecture. If i was using Single Server instance, then mabie there would hav been no data consumption. Since indexing of _INTERNAL Logs are not a part of License.
But the tricky part is when data from other Forwarders flow to Indexer. I am not sure if that is part of license.
If you can guide me on that ?
The S.o.S app ships with two scripted inputs (
lsof_sos.sh) that gather process-level and resource usage information. These data input:
That being said, please note that as of Splunk Enterprise 6.2 you can now use the Distributed Management Console (a built-in feature with no license quota impact) to get much more visibility of your Splunk deployment than you would with S.o.S.