Deployment Architecture

Still getting license violations on my search head, even with 4.0.10

Communicator

I had the Unix app running for a while on this instance and that was indexing a lot of data so I disabled the 'os' index.

The only indexes I can see with any data going to them are the _internal and summary indexes, which shouldn't count against the license volume, right?

1 Solution

Splunk Employee
Splunk Employee

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

View solution in original post

Splunk Employee
Splunk Employee

The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.

Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.

This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.

View solution in original post