Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find last 3 months data usage and what logs are genarated

anil1432
Explorer
‎11-09-2021 11:59 PM

Hello everyone,

I have started using splunk enterprise from July ,

I have created hosts and forwarders for it , I think forwarders may not use data license ?, please give clarity on this.

 

 but we didn't use it for still now and any logs also , but we can see that data license usage is very high  month to month August month 1.1m-->September--> 1.9m ---> October--> 2.8M . And why that's

 happening please let me know , any process for this one , please provide some information , and how to check that one and how to find  who are using  that , 

 

Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-10-2021 01:15 AM

Hi

In technical way of thinking UF don't use license, BUT when it sends those events to Splunk Enterprise indexer host then indexer use license based on event amount and sizes which it receive from UFs + other ways. You could reduce event amount and content of events before indexing if there is something which you are not needed. Other option is not getting those from source node (UF).

What nodes, source types etc are using license? You can see that from your MC (Monitoring console). Where this is is based n your deployment. If you have single node (SH + IDX on the same box) then just go to Settings -> MC -> Indexing -> Lincensing to directly Settings -> Licensing. There are couple of dashboards which shows that information. If you have distributed environment (separate SH and IDX layer) then you should have separate MC node or CM which has this role. Then just use on that node Settings -> MC -> Indexing -> License. In distributed environment this needs that you set first your MC to distributed mode and all nodes are using the same LM (license master).

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...