Over the weekend I upgraded Splunk from v4.2.4 to v5.0.3. I installed Splunk on Splunk and that has taken me over my 5GB license
Main was doing about 200MB-500MB a day and now it is 1.3GB to 2.5GB. Why does Splunk on Splunk take so much?
As it is really an internal tool for helping with the admin of Splunk should it really count against the license?
I highly doubt that the S.o.S app is responsible for this increase in license usage because:
The cause of your increase in indexing must be related to the upgrade to 5.0.3. Perhaps the Metrics view in S.o.S can help you figure out which sourcetype, source or host is responsible for this increase.
I think I might have found it. I think it is the Windows app and Splunk is being indexed. Will leave it over night and see what happens.
Appreciate the feedback.
I will re-iterate my previous recommendation to use the Metrics view in S.o.S to attempt to determine what characterizes the data that increased in volume since the upgrade to 5.0.3. If you feel uncomfortable doing so and hold an Enterprise Support entitlement, you can open a support case to get some assistance.
Thanks for the feedback. I have attached two screenshots. As you see SoS didn't make any difference as I turned it off for the last two hours.
As you can see, something happened to index main and aplsplunk which is the splunk server. The upgrade was done on the 25th.