Getting Data In

Universal Forwarder and Free Splunk license?

johns3
Path Finder

Is the universal forwarder free or do you need to have a license to use it? I am looking to use them on my Windows machines with the free version of Splunk but cannot find a definite answer on this.

Under the "Types of Splunk licenses" it says The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation. I am not sure if it communicates with the main Splunk indexer to see if there is an enterprise license or whatever is needed.

Tags (1)

johns3
Path Finder

Do you need a license to forward from one indexer to another?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Universal forwarders have no license, they also don't transform any data. All data is sent directly to the indexer, which then indexes the data an applies he count to the license. In this case, as long as all the data sent from your windows machines stays within the free license, you should be fine.

royimad
Builder

Thanks, this is an answer that i'm looking at, However what i need to know is if i'm sending 10 MB file to splunk instance free license from the forwarder and splunk only index the changes in that logs ( the delta changes ) would it count the total size of the logs as computed or just the changes in that logs?

0 Karma

Richfez
SplunkTrust
SplunkTrust

I'm sure you've figured this out already, but I stumbled across this and since it's not accepted and it really does have final question, I feel like it'll be fun to answer it!

If you have Splunk watching a file, the first time it sees it the UF will send in the entire contents of the file. From then on it'll only send in changes.

For instance, suppose you have a file that gets 10 MB added each day. The file is old, it's got 300 days worth of history already in it so it's 3 GB in size. When you first set up that input, the Splunk Universal Forwarder (UF) will send in all 3GB, exceeding the 500 MB/day free license amount by 2.5 GB. You get 3 times of doing this per 30 day window, though, so that's OK as long as you don't keep going over.

After that, each day the UF will send in the 10 MB.

The amount that's used up of your license is only what's sent in, 10 MB/ day (most days).

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

If this answered your question, please accept it. Thanks!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...