Hello,
I'm trying to read how splunk indexing and usage works and still couldn't figure it our. Here is an example, we have around 3GB log file we need to analyze every 15 minutes, if we do search entry and if we get result of 5kb results of data, How would it show in usage?
Hi ananthan123,
about indexing, Splunk indexes all the logs that it receives from all the inputs (local or remote) and license counts the daily volume of indexed logs.
In searches, Splunk shows the all the events that matches the search terms: if you have few events you have few traffic, if you have many events you have more traffic, aniway searches don't affect license consuption, they are important only in infrastructure capacity planning.
Could you share more details about your needs?
Bye.
Giuseppe
Thank you very much Giuesppe.
Hi ananthan123,
about indexing, Splunk indexes all the logs that it receives from all the inputs (local or remote) and license counts the daily volume of indexed logs.
In searches, Splunk shows the all the events that matches the search terms: if you have few events you have few traffic, if you have many events you have more traffic, aniway searches don't affect license consuption, they are important only in infrastructure capacity planning.
Could you share more details about your needs?
Bye.
Giuseppe
Thank you very much. how does forwarder metric log and indexer metric log works? Forwarder pass the local metric.log data to indexer and indexer merges with local metric.log and then do the indexing?
No indexer counts the really indexed logs, logs sent by forwarders aren't added to the license consuption.
Infact you can filter logs received by indexers before indexing and discarded logs don't consume license.
At the same time Splunk internal logs are indexed but not added to the license consumption.
Bye.
Giuseppe
Thank you, when you say internal logs, does it mean indexer's log files? for an example metric.log file?
All Splunk logs of all Splunk servers, also Forwarders.
Bye.
Giuseppe
Thank you so much Giuseppe. This is what I would like to know. If I understand correctly, If we do searches it won't affect license consumption. It will only calculate based on events and logs what we are indexing. Am I right?
Yes, the total logs you daily indexed.
You can exceed the daily quota without a violation for 5 times in 30 solar days with a license and 3 times with the free license.
After you need a violation code to unlock your license (during violation logs are aniway indexed but you cannot run searches).
Bye.
Giuseppe
P.S. if your satisfied of this answer, please accept it.
Yes, licensing usage.
What do you mean by "usage"? Are you referring to licensing or something else?