All Apps and Add-ons
Highlighted

How will the S.o.S. - Splunk on Splunk app impact my license usage in a distributed search environment?

Path Finder

I tried to search this, but didn't seem to find an answer. I understand that all the logs that come to a Splunk Indexer from _INTERNAL does not count under Splunk licensing.

I have a distributed architecture in my Organization with Multiple Search Heads, Dispatchers, Indexers, and Forwarders, and I want to Start System Health Check using S.O.S. App. However, will this add additional data to indexer since the performance data from other servers (Forwarders etc) also needs to be indexed?

Can somebody please throw some light on this topic?

Thanks In advance

Best Regards,
Neel Shah

Highlighted

Re: How will the S.o.S. - Splunk on Splunk app impact my license usage in a distributed search environment?

Builder

The S.o.S. app by default does not have any inputs enabled, so it shouldn't affect your license at all. The app has built in functions to analyze your environment with the data that is already present.

You can however enable the scripted inputs present in inputs.conf, which may impact the license a little (not a lot).

0 Karma
Highlighted

Re: How will the S.o.S. - Splunk on Splunk app impact my license usage in a distributed search environment?

Path Finder

I am not really sure about this, the reason being that i am using DISTRIBUTED Architecture. If i was using Single Server instance, then mabie there would hav been no data consumption. Since indexing of _INTERNAL Logs are not a part of License.

But the tricky part is when data from other Forwarders flow to Indexer. I am not sure if that is part of license.

If you can guide me on that ?

0 Karma
Highlighted

Re: How will the S.o.S. - Splunk on Splunk app impact my license usage in a distributed search environment?

Splunk Employee
Splunk Employee

The S.o.S app ships with two scripted inputs ( ps_sos.sh / ps_sos.ps1 and lsof_sos.sh) that gather process-level and resource usage information. These data input:

  • Are not enabled by default.
  • Write to the dedicated "sos" index.
  • Generate roughly between 50 and 75MB per instance where they are enabled, which is counted against your daily license quota.

That being said, please note that as of Splunk Enterprise 6.2 you can now use the Distributed Management Console (a built-in feature with no license quota impact) to get much more visibility of your Splunk deployment than you would with S.o.S.

View solution in original post