Getting Data In

Why is my License Usage not matching actual index amount?

byu168
Path Finder

I currently own a 10GB daily indexing license. A few days ago I exceeded the indexing amount, however, none of my indexes saw as big a jump as should have occurred. After checking the details I found that supposedly 15.43 GB was indexed into a single index (called spore_1), however when I go to manage indexes the index only contains 1.08GB of data.

Another issue arose today where I was issued a warning even though my current license usage is only at 4.341 GB. What is causing this disparity in both cases?

aaraneta_splunk
Splunk Employee
Splunk Employee

@byu168 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

woodcock
Esteemed Legend

It is impossible to comment with any authority because you have not told us how you determined what you have told us. Along with what @garethatiag said, I would add this:

What did you do to determine that you violated your license? In other words did you:
A: Compare df from today to df from yesterday?
B: Get a warning on your Search Head (if so, what did it say)?
C: Run a search/report on your Management Console (if so, which one, and what did it say)?
D: Search the _* logs for license details (if so, what was the search and what did it say)?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Splunk's license usage is based on the raw data that comes in, so if you send in 10GB of raw logs that will be counted as 10GB of license usage. The license usage view report will have more details

However due to compression of the raw data (and then of course creation of the metadata) your index size may be more or less than the incoming data.

If you are using the monitoring console (previously the distributed monitoring console) one of the tabs will advise you of the raw amount of data in the index vs the usage on disk. Only the raw amount of data counts towards licensing.

In regard to

Another issue arose today where I was
issued a warning even though my
current license usage is only at 4.341
GB. What is causing this disparity in
both cases?

In this case I'd like to see the message, I'm unclear from the explanation as to what this is...

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...