I currently own a 10GB daily indexing license. A few days ago I exceeded the indexing amount, however, none of my indexes saw as big a jump as should have occurred. After checking the details I found that supposedly 15.43 GB was indexed into a single index (called spore_1), however when I go to manage indexes the index only contains 1.08GB of data.
Another issue arose today where I was issued a warning even though my current license usage is only at 4.341 GB. What is causing this disparity in both cases?
Splunk's license usage is based on the raw data that comes in, so if you send in 10GB of raw logs that will be counted as 10GB of license usage. The license usage view report will have more details
However due to compression of the raw data (and then of course creation of the metadata) your index size may be more or less than the incoming data.
If you are using the monitoring console (previously the distributed monitoring console) one of the tabs will advise you of the raw amount of data in the index vs the usage on disk. Only the raw amount of data counts towards licensing.
In regard to
Another issue arose today where I was
issued a warning even though my
current license usage is only at 4.341
GB. What is causing this disparity in
In this case I'd like to see the message, I'm unclear from the explanation as to what this is...
It is impossible to comment with any authority because you have not told us how you determined what you have told us. Along with what @garethatiag said, I would add this:
What did you do to determine that you violated your license? In other words did you:
df from today to
df from yesterday?
B: Get a warning on your Search Head (if so, what did it say)?
C: Run a search/report on your Management Console (if so, which one, and what did it say)?
D: Search the
_* logs for license details (if so, what was the search and what did it say)?
@byu168 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.