Splunk indexes its internal logs (for example, splunkd.log
) into an index named _internal
. This index does not count as part of your Splunk license. Splunk does not add any data to the main
index. So disabling Splunk's logs will not save you anything - as Ayn points out.
Everything in the main
index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.
If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain
is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main
index or the os
index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.
People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.
Splunk indexes its internal logs (for example, splunkd.log
) into an index named _internal
. This index does not count as part of your Splunk license. Splunk does not add any data to the main
index. So disabling Splunk's logs will not save you anything - as Ayn points out.
Everything in the main
index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.
If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain
is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main
index or the os
index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.
People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.
Thank you!!!
Internal Splunk logs aren't sent to 'Main'. they're sent to '_internal' and aren't applied to your license. If you have data going into Main, it's because of inputs you may have set up.
Recommend looking at the data in your main index and making determinations from there.
So when i look at my domain host "SPLUNK01.My.Domain" and "main" they dont count against my license? Why does the "License Usage" app on the matrix they show?
It would make no difference. These logs go to the _internal
index and do not count against your license.
I know that I can remove the monitor from /opt/splunk/var/log/splunk/*.log but would that be a good idea?