I would like to know the possibility to limit the splunk license consumption based on host.
There are 50 hosts sending logs to my heavy forwarders.
Out of that I want to limit the license usage consumption for some 10 devices (by hostname)
Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message
Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?
You can restrict a host to X GB/day by installing a universal forwarder on that host and limiting its thruput in limits.conf.
Say you want a host to send 10GB/day maximum, that's 121KB/s. Add a limits.conf entry on that host like this:
[thruput] maxKBps = 121
Note, this is not a great way of achieving a per-host limit, but it's the only way I know of. You will get indexing delays during peak times when you hit the limit, and you will get massive delays when your host is trying to send over 10GB/day. If it keeps trying to send more, your data will keep on piling up and eventually some will get lost due to overfilled queues, log deletion, etc.
No, this is not possible.
Because Splunk license model is based on data being indexed, not data being submitted or read.
Therefore it make no sense to limit it based on a host sending data.
Also remember the license limit or license pool limit is not a hard limit; meaning it will not stop indexing even the limit is reached, you will get a violation but indexing continues....