Is it possible to limit Splunk's license usage to specific hosts?


I would like to know the possibility to limit the splunk license consumption based on host.

There are 50 hosts sending logs to my heavy forwarders.
Out of that I want to limit the license usage consumption for some 10 devices (by hostname)

Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message

Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?

Please advise.

Labels (1)
0 Karma


You can restrict a host to X GB/day by installing a universal forwarder on that host and limiting its thruput in limits.conf.

Say you want a host to send 10GB/day maximum, that's 121KB/s. Add a limits.conf entry on that host like this:

maxKBps = 121

Note, this is not a great way of achieving a per-host limit, but it's the only way I know of. You will get indexing delays during peak times when you hit the limit, and you will get massive delays when your host is trying to send over 10GB/day. If it keeps trying to send more, your data will keep on piling up and eventually some will get lost due to overfilled queues, log deletion, etc.


Hi splunker12er,

No, this is not possible.
Because Splunk license model is based on data being indexed, not data being submitted or read.
Therefore it make no sense to limit it based on a host sending data.
Also remember the license limit or license pool limit is not a hard limit; meaning it will not stop indexing even the limit is reached, you will get a violation but indexing continues....

cheers, MuS

Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...