Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Massive License Usage - Splunk App for Windows Infrastructure

servercentraljo
New Member
‎10-12-2015 11:29 AM

Installed Splunk on Friday, added my AD controllers and my Exchange server, followed all the instructions, and we've done like 60 GB a day for the past few days. Is this just loading in old data or something or is there a switch somewhere I messed up? We have 90 users and a simple domain structure, I can't imagine we're ingesting this much data a day in AD logs.

Setup is very simple: master head with 2 indexers, universal forwarder on each of the Windows hosts, deployment server app setting each universal forwarder to get a copy of Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-2012R2 (we're pure 2012 R2). We also push the indexer IPs via a deployment app. The outputs.conf has both indexers in a single server stanza, which I believe means it load balances?

Either way, I can't justify buying 100GB of license for 6 servers.

0 Karma
Reply

servercentraljo
New Member
‎10-12-2015 02:17 PM

I disabled all perfmon on all my Windows hosts, and when I check the indexing volume it tells me it's all one of my AD servers and one of my Exchange servers. Yesterday's total use was 189GB on the windows index, but the entire size of all my indexes is just 20GB across both index servers. I don't understand how log data could be 189GB on just 6 servers.

0 Karma
Reply

ConnorG
Path Finder
‎10-12-2015 11:51 AM

You can use this view to see which sources are using up a large amount of volume on your Splunk server.
http(s)://your_server/en-GB/app/search/indexing_volume

If you are sending perfmon stats from each host you may want to change the interval the metrics are sent at. I've got my boxes all sending stats every 20 seconds (as seen below) and that works just fine. I believe the default for the Windows App is 10 seconds. Below is an example from inputs.conf

[perfmon://CPU Load]
counters = % Processor Time;% User Time
instances = _Total
interval = 20
object = Processor
index=pt_infra_monitoring

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...