Knowledge Management

How does Splunk determine data is being summarized and thus not counted towards license usage?

hulahoop
Splunk Employee
Splunk Employee

In the latest versions of Splunk, summary indexing does not deduct from the licensed indexing capacity. How does Splunk determine if data is summary data? Is it through use of the summary search commands (e.g. sistats, sichart, collect)? Does it exclude indexes prefaced with 'summary?' Do you have to check the "Enable Summary Indexing" box when scheduling the summary search?

Tags (2)
2 Solutions

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

Lowell
Super Champion

Also, this is only true for versions 4.0.10 / 4.1 and later. In earlier versions, summary indexing counted towards your license just like any other input.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

For clarity the search commands are sitop, sirare, sistats, sichart, sitimechart and collect.

0 Karma
Get Updates on the Splunk Community!

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...

How to use Timechart Query

Hey guys ,I need last 30 days stats for the use-cases that did not fire up on the ES console. Below is the ...

hadoop vs splunk

hiIn big data can we replace hadoop by splunk ? and why?do splunk do&nbsp; all hadoop fonctionality