Solved: Database query into summary index counts as licens...

ruiaires · ‎05-20-2014

Using DB_Connect with dbquery command, if the search results are stored in a summary index, will this count towards the license usage ?

From the documentation, it seems that If summary commands are used (sitop, sirare, sistats, sichart, sitimechart and collect) and the sourcetype is not renamed (stash) it does not count for licensing.

jcoates_splunk · ‎05-20-2014

Hi,

No, it does not count towards license usage. If this becomes a problem, we may need to alter the app's license terms to tighten that up, though.

View solution in original post

jcoates_splunk · ‎05-20-2014

Hi,

No, it does not count towards license usage. If this becomes a problem, we may need to alter the app's license terms to tighten that up, though.

lukejadamec · ‎05-20-2014

Good question. Summary indexing does not count against licensing, ie, mining data that has already been indexed and storing the results in a new index.

If the dbquery command collects data directly from a database, and the splunk summary stats search commands can search those results and populate an index, then you may have found a way around licensing. Hard to believe tho, the licensing code is pretty well baked in.
Have you tested it? It should be easy enough to test.

Database query into summary index counts as licensing usage ?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team