Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are _SYSLOG_ROUTING and _TCP_ROUTING dest_keys on the transform.conf consume Splunk license ?

Zanusha443
Explorer
‎10-04-2023 02:31 AM

Hi,

I am sending logs without indexing on Splunk to another product by using the "SYSLOG_ROUTING" DEST_KEY on the transform.conf file.

Looking at the documentation of "How Splunk licensing works",  it says: "When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline."

By looking on the monitor console I realized that the indexer pipeline is made by: syslog out, tcp out and indexer lines, so it seems that by using syslog_routing dest key I could also consume Splunk license.
Can you confirm this?

Kind Regards,

Angelo 

 

 

are those

Labels (3)
Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2023 03:58 PM

Hi

if you are not stored anything on local disk/indexer then it’s not counted towards your license usage. Based on your scenario, I& I understand right you are forwarding all events to the next host (indexers): then it’s not counted on your license onHF level.. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...