Knowledge Management

How does Splunk determine data is being summarized and thus not counted towards license usage?

hulahoop
Splunk Employee
Splunk Employee

In the latest versions of Splunk, summary indexing does not deduct from the licensed indexing capacity. How does Splunk determine if data is summary data? Is it through use of the summary search commands (e.g. sistats, sichart, collect)? Does it exclude indexes prefaced with 'summary?' Do you have to check the "Enable Summary Indexing" box when scheduling the summary search?

Tags (2)
2 Solutions

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

Lowell
Super Champion

Also, this is only true for versions 4.0.10 / 4.1 and later. In earlier versions, summary indexing counted towards your license just like any other input.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

For clarity the search commands are sitop, sirare, sistats, sichart, sitimechart and collect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...