Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my License Usage not matching actual index amount?

byu168
Path Finder
‎02-03-2017 09:39 AM

I currently own a 10GB daily indexing license. A few days ago I exceeded the indexing amount, however, none of my indexes saw as big a jump as should have occurred. After checking the details I found that supposedly 15.43 GB was indexed into a single index (called spore_1), however when I go to manage indexes the index only contains 1.08GB of data.

Another issue arose today where I was issued a warning even though my current license usage is only at 4.341 GB. What is causing this disparity in both cases?

Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎02-23-2017 11:11 PM

@byu168 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-21-2017 08:20 PM

It is impossible to comment with any authority because you have not told us how you determined what you have told us. Along with what @garethatiag said, I would add this:

What did you do to determine that you violated your license? In other words did you:
A: Compare df from today to df from yesterday?
B: Get a warning on your Search Head (if so, what did it say)?
C: Run a search/report on your Management Console (if so, which one, and what did it say)?
D: Search the _* logs for license details (if so, what was the search and what did it say)?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎02-04-2017 01:11 PM

Splunk's license usage is based on the raw data that comes in, so if you send in 10GB of raw logs that will be counted as 10GB of license usage. The license usage view report will have more details

However due to compression of the raw data (and then of course creation of the metadata) your index size may be more or less than the incoming data.

If you are using the monitoring console (previously the distributed monitoring console) one of the tabs will advise you of the raw amount of data in the index vs the usage on disk. Only the raw amount of data counts towards licensing.

In regard to

Another issue arose today where I was
issued a warning even though my
current license usage is only at 4.341
GB. What is causing this disparity in
both cases?

In this case I'd like to see the message, I'm unclear from the explanation as to what this is...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...