Getting Data In
Highlighted

Why is my License Usage not matching actual index amount?

Path Finder

I currently own a 10GB daily indexing license. A few days ago I exceeded the indexing amount, however, none of my indexes saw as big a jump as should have occurred. After checking the details I found that supposedly 15.43 GB was indexed into a single index (called spore_1), however when I go to manage indexes the index only contains 1.08GB of data.

Another issue arose today where I was issued a warning even though my current license usage is only at 4.341 GB. What is causing this disparity in both cases?

Highlighted

Re: Why is my License Usage not matching actual index amount?

SplunkTrust
SplunkTrust

Splunk's license usage is based on the raw data that comes in, so if you send in 10GB of raw logs that will be counted as 10GB of license usage. The license usage view report will have more details

However due to compression of the raw data (and then of course creation of the metadata) your index size may be more or less than the incoming data.

If you are using the monitoring console (previously the distributed monitoring console) one of the tabs will advise you of the raw amount of data in the index vs the usage on disk. Only the raw amount of data counts towards licensing.

In regard to

Another issue arose today where I was
issued a warning even though my
current license usage is only at 4.341
GB. What is causing this disparity in
both cases?

In this case I'd like to see the message, I'm unclear from the explanation as to what this is...

Highlighted

Re: Why is my License Usage not matching actual index amount?

Esteemed Legend

It is impossible to comment with any authority because you have not told us how you determined what you have told us. Along with what @garethatiag said, I would add this:

What did you do to determine that you violated your license? In other words did you:
A: Compare df from today to df from yesterday?
B: Get a warning on your Search Head (if so, what did it say)?
C: Run a search/report on your Management Console (if so, which one, and what did it say)?
D: Search the _* logs for license details (if so, what was the search and what did it say)?

0 Karma
Highlighted

Re: Why is my License Usage not matching actual index amount?

Splunk Employee
Splunk Employee

@byu168 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma