All Apps and Add-ons

Splunk On Splunk increasing license usage?

Explorer

Hi,

Over the weekend I upgraded Splunk from v4.2.4 to v5.0.3. I installed Splunk on Splunk and that has taken me over my 5GB license

Main was doing about 200MB-500MB a day and now it is 1.3GB to 2.5GB. Why does Splunk on Splunk take so much?

As it is really an internal tool for helping with the admin of Splunk should it really count against the license?

Best wishes

Michael

Splunk Employee
Splunk Employee

I highly doubt that the S.o.S app is responsible for this increase in license usage because:

  • Although the app ships with two scripted inputs, these are not enabled by default.
  • Those scripted inputs (ps_sos.sh and lsof_sos.sh) write to the dedicated "sos" index.
  • The amount of data generated daily by those inputs is roughly between 50 and 75MB per instance where they are enabled.

The cause of your increase in indexing must be related to the upgrade to 5.0.3. Perhaps the Metrics view in S.o.S can help you figure out which sourcetype, source or host is responsible for this increase.

Explorer

I think I might have found it. I think it is the Windows app and Splunk is being indexed. Will leave it over night and see what happens.

Appreciate the feedback.

0 Karma

Splunk Employee
Splunk Employee

I will re-iterate my previous recommendation to use the Metrics view in S.o.S to attempt to determine what characterizes the data that increased in volume since the upgrade to 5.0.3. If you feel uncomfortable doing so and hold an Enterprise Support entitlement, you can open a support case to get some assistance.

0 Karma

Explorer

Hi,

Thanks for the feedback. I have attached two screenshots. As you see SoS didn't make any difference as I turned it off for the last two hours.

https://dl.dropboxusercontent.com/u/262417/splunk.zip

As you can see, something happened to index main and aplsplunk which is the splunk server. The upgrade was done on the 25th.

Best wishes

Michael

0 Karma