Is it possible to limit Splunk's license usage to specific hosts?


I would like to know the possibility to limit the splunk license consumption based on host.

There are 50 hosts sending logs to my heavy forwarders.
Out of that I want to limit the license usage consumption for some 10 devices (by hostname)

Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message

Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?

Please advise.

Labels (1)
0 Karma


You can restrict a host to X GB/day by installing a universal forwarder on that host and limiting its thruput in limits.conf.

Say you want a host to send 10GB/day maximum, that's 121KB/s. Add a limits.conf entry on that host like this:

maxKBps = 121

Note, this is not a great way of achieving a per-host limit, but it's the only way I know of. You will get indexing delays during peak times when you hit the limit, and you will get massive delays when your host is trying to send over 10GB/day. If it keeps trying to send more, your data will keep on piling up and eventually some will get lost due to overfilled queues, log deletion, etc.


Hi splunker12er,

No, this is not possible.
Because Splunk license model is based on data being indexed, not data being submitted or read.
Therefore it make no sense to limit it based on a host sending data.
Also remember the license limit or license pool limit is not a hard limit; meaning it will not stop indexing even the limit is reached, you will get a violation but indexing continues....

cheers, MuS

Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...