Is it possible to limit Splunk's license usage to ...

splunker12er · ‎12-20-2014

I would like to know the possibility to limit the splunk license consumption based on host.

There are 50 hosts sending logs to my heavy forwarders.
Out of that I want to limit the license usage consumption for some 10 devices (by hostname)

Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message

Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?

Please advise.

martin_mueller · ‎12-21-2014

You can restrict a host to X GB/day by installing a universal forwarder on that host and limiting its thruput in limits.conf.

Say you want a host to send 10GB/day maximum, that's 121KB/s. Add a limits.conf entry on that host like this:

[thruput]
maxKBps = 121

Note, this is not a great way of achieving a per-host limit, but it's the only way I know of. You will get indexing delays during peak times when you hit the limit, and you will get massive delays when your host is trying to send over 10GB/day. If it keeps trying to send more, your data will keep on piling up and eventually some will get lost due to overfilled queues, log deletion, etc.

MuS · ‎12-20-2014

Hi splunker12er,

No, this is not possible.
Because Splunk license model is based on data being indexed, not data being submitted or read.
Therefore it make no sense to limit it based on a host sending data.
Also remember the license limit or license pool limit is not a hard limit; meaning it will not stop indexing even the limit is reached, you will get a violation but indexing continues....

cheers, MuS

Is it possible to limit Splunk's license usage to specific hosts?

license

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest