Deployment Architecture

Still getting license violations on my search head, even with 4.0.10

mctester
Communicator

I had the Unix app running for a while on this instance and that was indexing a lot of data so I disabled the 'os' index.

The only indexes I can see with any data going to them are the _internal and summary indexes, which shouldn't count against the license volume, right?

1 Solution

Mick
Splunk Employee
Splunk Employee

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

View solution in original post

Mick
Splunk Employee
Splunk Employee

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...