How to handle my license for double forwarding and local copies of data?


Hello everyone,

Here is my topology:

Devices --> Splunk Forwarding and store local copy A (3 networks) --> Splunk Forwarding and store local copy B (3 networks) ---> Splunk Main index

So I have 9 networks (3*3) to monitor, and I have 4 licenses of 1 gb,
I want to put all my license on my main index, and propagate them to other Splunk instances.

I understood that I have to put the main index as the master and the others as slaves, but I don't know if the license information will be given to the A instance from the B.

Can you help me?



Labels (1)
0 Karma


Hi Damien,
Splunk Licensing is restrictive from an indexer perspective rather than an "index". Simply put an indexer can index a set amount of data per the license configured on it.

So, if you are saying you want to index the data locally (say on Site 1) and forward the "same" data to a second set of indexers in Site 2 for indexing again... you will be wasting you license (doubling the license consumption to be exact).

But if you are just asking if it's possible to set a license master on a single site and point all the other indexers (slaves) to the license master ... then yes. You can do that. You can set license pools for each of your sites (with set data limits) and allocate indexers to the pools as fits your needs.

Since your current intention seems to be to index and forward... you may gain by considering other ways to achieve the same end goal by considering multisite clustering options or even having distributed searcheads (searchheads having access to all your indexers across all sites) and avoiding double indexing.

Hope this helps.