Knowledge Management

How does Splunk determine data is being summarized and thus not counted towards license usage?

hulahoop
Splunk Employee
Splunk Employee

In the latest versions of Splunk, summary indexing does not deduct from the licensed indexing capacity. How does Splunk determine if data is summary data? Is it through use of the summary search commands (e.g. sistats, sichart, collect)? Does it exclude indexes prefaced with 'summary?' Do you have to check the "Enable Summary Indexing" box when scheduling the summary search?

Tags (2)
2 Solutions

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

Lowell
Super Champion

Also, this is only true for versions 4.0.10 / 4.1 and later. In earlier versions, summary indexing counted towards your license just like any other input.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

For clarity the search commands are sitop, sirare, sistats, sichart, sitimechart and collect.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...