Are there best practices for controlling my daily license quota used per pool?

New Member

I am a newbie and just getting started. I'm only pulling local data from the Splunk Server. I do have a few apps installed for Active directory and Utilization Monitor. I have a 5GB limit limit and my daily usage is already at 2.267GB of usage. What happens when I set up forwarders for at least 60 additional servers? Is my license big enough? Is there a best practice documentation for newbies?

Labels (2)
0 Karma


It all depends on the data you want to bring in. On those 60 forwarders, do you know what logs you're looking to ingest? Can you do some manual calculations to determine how much per day that would be. Will each forwarder report the same type of data? Meaning, can you install on one and extrapolate from there?

Are you bringing in anything today that you don't need? Maybe something being ingested by default by the apps you installed?

The documentation is worth a read. But at a high-level, if you go over your license for a day then you get a warning. If you get 5 warnings in a rolling 30 day period then you're in violation. At that point, you won't be able to search your data, however it will still be indexed. You would need to request a reset key to remove the warnings and start - something you'd get from your sales contact or support.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...