Hello everyone,
I have started using splunk enterprise from July ,
I have created hosts and forwarders for it , I think forwarders may not use data license ?, please give clarity on this.
but we didn't use it for still now and any logs also , but we can see that data license usage is very high month to month August month 1.1m-->September--> 1.9m ---> October--> 2.8M . And why that's
happening please let me know , any process for this one , please provide some information , and how to check that one and how to find who are using that ,
Thanks
Hi
In technical way of thinking UF don't use license, BUT when it sends those events to Splunk Enterprise indexer host then indexer use license based on event amount and sizes which it receive from UFs + other ways. You could reduce event amount and content of events before indexing if there is something which you are not needed. Other option is not getting those from source node (UF).
What nodes, source types etc are using license? You can see that from your MC (Monitoring console). Where this is is based n your deployment. If you have single node (SH + IDX on the same box) then just go to Settings -> MC -> Indexing -> Lincensing to directly Settings -> Licensing. There are couple of dashboards which shows that information. If you have distributed environment (separate SH and IDX layer) then you should have separate MC node or CM which has this role. Then just use on that node Settings -> MC -> Indexing -> License. In distributed environment this needs that you set first your MC to distributed mode and all nodes are using the same LM (license master).
r. Ismo