I would like to know the possibility to limit the splunk license consumption based on host.
There are 50 hosts sending logs to my heavy forwarders.
Out of that I want to limit the license usage consumption for some 10 devices (by hostname)
Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message
Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?
No, this is not possible.
Because Splunk license model is based on data being indexed, not data being submitted or read.
Therefore it make no sense to limit it based on a host sending data.
Also remember the license limit or license pool limit is not a hard limit; meaning it will not stop indexing even the limit is reached, you will get a violation but indexing continues....
You can restrict a host to X GB/day by installing a universal forwarder on that host and limiting its thruput in limits.conf.
Say you want a host to send 10GB/day maximum, that's 121KB/s. Add a limits.conf entry on that host like this:
[thruput] maxKBps = 121
Note, this is not a great way of achieving a per-host limit, but it's the only way I know of. You will get indexing delays during peak times when you hit the limit, and you will get massive delays when your host is trying to send over 10GB/day. If it keeps trying to send more, your data will keep on piling up and eventually some will get lost due to overfilled queues, log deletion, etc.