Getting Data In

SPLUNK index main logs

jviteka
Explorer

My Splunk License Usage app is showing that my SPLUNK server is using 26% of my license(From "main"). Is there any way to make this smaller?

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Splunk indexes its internal logs (for example, splunkd.log) into an index named _internal. This index does not count as part of your Splunk license. Splunk does not add any data to the main index. So disabling Splunk's logs will not save you anything - as Ayn points out.

Everything in the main index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.

If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main index or the os index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.

People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.

View solution in original post

lguinn2
Legend

Splunk indexes its internal logs (for example, splunkd.log) into an index named _internal. This index does not count as part of your Splunk license. Splunk does not add any data to the main index. So disabling Splunk's logs will not save you anything - as Ayn points out.

Everything in the main index came from either (1) inputs that you defined or (2) inputs defined by apps that you installed.

If you are monitoring the Linux or Windows system where Splunk is running - which is probably what SPLUNK01.My.Domain is - these are not Splunk internal logs. These are just regular system logs. These logs could be indexed in the main index or the os index or whatever - but these logs do count against your license. While it is a good idea to monitor the systems where Splunk is running, you can change or disable these inputs. Limiting these inputs will decrease your Splunk license usage.

People often install the Linux or Windows apps on their Splunk servers. This is most likely the origin of these inputs. If you have these apps, I suggest that you check the configurations.

jviteka
Explorer

Thank you!!!

0 Karma

emiller42
Motivator

Internal Splunk logs aren't sent to 'Main'. they're sent to '_internal' and aren't applied to your license. If you have data going into Main, it's because of inputs you may have set up.

Recommend looking at the data in your main index and making determinations from there.

jviteka
Explorer

So when i look at my domain host "SPLUNK01.My.Domain" and "main" they dont count against my license? Why does the "License Usage" app on the matrix they show?

0 Karma

Ayn
Legend

It would make no difference. These logs go to the _internal index and do not count against your license.

jviteka
Explorer

I know that I can remove the monitor from /opt/splunk/var/log/splunk/*.log but would that be a good idea?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...