Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK index main logs

jviteka
Explorer
‎10-21-2013 01:35 PM

My Splunk License Usage app is showing that my SPLUNK server is using 26% of my license(From "main"). Is there any way to make this smaller?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-21-2013 02:03 PM

Splunk indexes its internal logs (for example, splunkd.log) into an index named _internal. This index does not count as part of your Splunk license. Splunk does not add any data to the main index. So disabling Splunk's logs will not save you anything - as Ayn points out.

Everything in the main index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.

If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main index or the os index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.

People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-21-2013 02:03 PM

Splunk indexes its internal logs (for example, splunkd.log) into an index named _internal. This index does not count as part of your Splunk license. Splunk does not add any data to the main index. So disabling Splunk's logs will not save you anything - as Ayn points out.

Everything in the main index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.

If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main index or the os index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.

People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.

Reply
Solved! Jump to solution

jviteka
Explorer
‎10-21-2013 02:27 PM

Thank you!!!

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎10-21-2013 02:02 PM

Internal Splunk logs aren't sent to 'Main'. they're sent to '_internal' and aren't applied to your license. If you have data going into Main, it's because of inputs you may have set up.

Recommend looking at the data in your main index and making determinations from there.

Reply
Solved! Jump to solution

jviteka
Explorer
‎10-21-2013 01:51 PM

So when i look at my domain host "SPLUNK01.My.Domain" and "main" they dont count against my license? Why does the "License Usage" app on the matrix they show?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-21-2013 01:42 PM

It would make no difference. These logs go to the _internal index and do not count against your license.

Reply
Solved! Jump to solution

jviteka
Explorer
‎10-21-2013 01:38 PM

I know that I can remove the monitor from /opt/splunk/var/log/splunk/*.log but would that be a good idea?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...