We are getting alert about splunk license usage, when I login and go to deployment monitor - License Usage - By Host, I find the host which consumes most license(about 30GB everyday) has NULL hostname.
By clicking the NULL hostname, splunk jump to a search resulte "index="summary_hosts" | eval Mbytes = bytes/1048576 | eval _time = _time+1800 | rename my_host as host | search NOT host=*"
May I know what is it and is there anything we can do to reduce the usage of this host?
Hi AngelOps,
you cannot limit a host license usage directly, you need to create a license pool and add the host to this pool - see docs about create license pool.
Also check what kind of data/events this host is sending the most and if you need them at all, if not you could either exclude the data source on the host or nullQueue
the data on the indexer - see the docs about Discard specific events and keep the rest.
hope this helps ...
cheers, MuS
Checkout my previous post. You should be able to use the license.log file.