Knowledge Management

How does Splunk determine data is being summarized and thus not counted towards license usage?

hulahoop
Splunk Employee
Splunk Employee

In the latest versions of Splunk, summary indexing does not deduct from the licensed indexing capacity. How does Splunk determine if data is summary data? Is it through use of the summary search commands (e.g. sistats, sichart, collect)? Does it exclude indexes prefaced with 'summary?' Do you have to check the "Enable Summary Indexing" box when scheduling the summary search?

Tags (2)
2 Solutions

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

matt
Splunk Employee
Splunk Employee

Only data that is populated through a summary search command is exempt from the daily licensing volume.

Lowell
Super Champion

Also, this is only true for versions 4.0.10 / 4.1 and later. In earlier versions, summary indexing counted towards your license just like any other input.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

For clarity the search commands are sitop, sirare, sistats, sichart, sitimechart and collect.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...