Installation

Is the default 500 MB usage valid for log of sourcetype other than fixed sourcetype of license?

MegSplunk
Path Finder

I have a single Splunk instance ( No master slave configuration ). Our Splunk license is for a fixed sourcetype. If I try to add a log file ( less than 500 MB ) of a different sourcetype ( other than the fixed sourcetype of license ), Splunk throws a license violation.

How can i allot the default (free) 500 MB usage for this second sourcetype?

Any help appreciated.

Thanks in advance.

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

View solution in original post

jconger
Splunk Employee
Splunk Employee

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

MegSplunk
Path Finder

We believed that for the logs of second sourcetype, the default limit of 500 MB will be used.

So either a separate installation or a separate license for the second sourcetype is in order. Thanks for all the help.

0 Karma

kristian_kolb
Ultra Champion

Interesting, you learn something new every day!

So that means that you @MegSplunk are trying to break the intent of the license agreement that you have, and you're being stopped from doing that.

Just quit doing that and download a free version of Splunk, and no one will complain.

/k

kristian_kolb
Ultra Champion

"Our Splunk license is for a fixed sourcetype". I have never heard of that, could you describe further?

The 500 MB limit (or indeed any license limit) is for the combined uncompressed size of the log files that are indexed by the Splunk instance during a 24-hour period (midnight to midnight). Splunk internal logs, which are stored in the _internal index does not count towards the license.

So perhaps there are other log files that - combined with your logs - will exceed the total allowed limit.

/K

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...