Installation

Is the default 500 MB usage valid for log of sourcetype other than fixed sourcetype of license?

MegSplunk
Path Finder

I have a single Splunk instance ( No master slave configuration ). Our Splunk license is for a fixed sourcetype. If I try to add a log file ( less than 500 MB ) of a different sourcetype ( other than the fixed sourcetype of license ), Splunk throws a license violation.

How can i allot the default (free) 500 MB usage for this second sourcetype?

Any help appreciated.

Thanks in advance.

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

View solution in original post

jconger
Splunk Employee
Splunk Employee

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

MegSplunk
Path Finder

We believed that for the logs of second sourcetype, the default limit of 500 MB will be used.

So either a separate installation or a separate license for the second sourcetype is in order. Thanks for all the help.

0 Karma

kristian_kolb
Ultra Champion

Interesting, you learn something new every day!

So that means that you @MegSplunk are trying to break the intent of the license agreement that you have, and you're being stopped from doing that.

Just quit doing that and download a free version of Splunk, and no one will complain.

/k

kristian_kolb
Ultra Champion

"Our Splunk license is for a fixed sourcetype". I have never heard of that, could you describe further?

The 500 MB limit (or indeed any license limit) is for the combined uncompressed size of the log files that are indexed by the Splunk instance during a 24-hour period (midnight to midnight). Splunk internal logs, which are stored in the _internal index does not count towards the license.

So perhaps there are other log files that - combined with your logs - will exceed the total allowed limit.

/K

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...