Installation

Does the indexing of Splunk internal logs such as metrics.log count against our license?

jairjr
Path Finder

When running

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

to find indexing volume per host, to my surprise, the Splunk host appears in second. Is that right? Does the indexing of the metrics.log file hit my license usage?

Labels (1)

acharlieh
Influencer

metrics.log is measuring the thruput of data being actually being indexed by Splunk, as a measure of how well your input and indexing pipelines are performing. The metrics.log file itself is indeed indexed to the _internal index because you can run a splunk search and have it show up.

However, this data and the other data indexed by Splunk about Splunk in _internal and _introspection and a few other indexes, does not actually count toward your license. Additionally data that is indexed by Splunk out of summarization queries run against other Splunk data and written into Summary Indexes is additionally not counted toward your license, however it is possible to configure your Splunk Server(s) to have inputs of their own and pick up data that isn't about Splunk itself, thus would actually count toward your license.

To figure out actual license impact (instead of performance metrics) you'll want to look on your license master, there should be a search called the "License Usage Data Cube" which helps build breakdowns and the License Usage Report View which will let you see the actual license impact against various indexes and hosts. (You should read the documentation page because there is squashing behavior that could take place in the data sent to the license master from each indexer.

jairjr
Path Finder

Thank you guys for the answers. I'm bit new to Splunk, is there somehow simple to find out who is sending more data? Since a week ago I'm getting licenses violations and I'm not able to find who is sending the data.

0 Karma

MuS
SplunkTrust
SplunkTrust

Check the License Usage Report View http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/AboutSplunksLicenseUsageReportView like @acharlieh suggested

tlelle_splunk
Splunk Employee
Splunk Employee

Internal Splunk logs do not count against your license usage, however, the data is still going to be searchable since you are specifying the _internal index.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...