Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find last 3 months data usage and what logs are genarated

anil1432
Explorer
‎11-09-2021 11:59 PM

Hello everyone,

I have started using splunk enterprise from July ,

I have created hosts and forwarders for it , I think forwarders may not use data license ?, please give clarity on this.

 

 but we didn't use it for still now and any logs also , but we can see that data license usage is very high  month to month August month 1.1m-->September--> 1.9m ---> October--> 2.8M . And why that's

 happening please let me know , any process for this one , please provide some information , and how to check that one and how to find  who are using  that , 

 

Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-10-2021 01:15 AM

Hi

In technical way of thinking UF don't use license, BUT when it sends those events to Splunk Enterprise indexer host then indexer use license based on event amount and sizes which it receive from UFs + other ways. You could reduce event amount and content of events before indexing if there is something which you are not needed. Other option is not getting those from source node (UF).

What nodes, source types etc are using license? You can see that from your MC (Monitoring console). Where this is is based n your deployment. If you have single node (SH + IDX on the same box) then just go to Settings -> MC -> Indexing -> Lincensing to directly Settings -> Licensing. There are couple of dashboards which shows that information. If you have distributed environment (separate SH and IDX layer) then you should have separate MC node or CM which has this role. Then just use on that node Settings -> MC -> Indexing -> License. In distributed environment this needs that you set first your MC to distributed mode and all nodes are using the same LM (license master).

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...