Splunk Enterprise

how Splunk license is consumed? what components or product or apps or other x things that consume the license?

pacifikn
Communicator

Greetings all!!

Hope this finds you well.

- Kindly help me to understand  how in distributed environment , how Splunk license is measured and consumed? 
 
- I want to know if it is measured on the raw data from (syslog sender/data sources) we receive in syslog server collector/management instance ?  OR  if it is measured on all the data ingested in Splunk indexers?  kindly help me to understand this?
 
- what components or apps that are also part of license consumed?
 
- What query to use to check the license usage in previous 6months.
 
Thank you in advance for your help.

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Roy_9
Motivator

It will be calculated based on the amount of data being ingested at the indexer level on a 24 hr time interval irrespective of the type or source of the log.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Volume license use is measured by the number of uncompressed bytes written by the indexers to non-internal indexes.  Data sent to nullQueue does not count.

Search the license_usage.log files (index=_internal) on your License Manager to see your license history (the MC can do this for the last 30 days).  How far back you can go depends on the retention setting for _internal, which defaults to 30 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pacifikn
Communicator

Thank you @richgalloway for your response, 

I wanted to know exactly step by step  where the license started to be consumed.

Let's take this scenario, 

I receive the data from different data sources(inputs) to splunk management node where the incoming data are stored/received & configure them(data) before being indexed/stored to indexers. And in this management node it is where all the indexers , Search head , license , all are managed.

So if I hear you well ,the license will start being consumed or counted when it reaches indexers? Where exactly?

 

Other thing, how you can know if you really need 100GB or 200GB of license? 

Let's say you have checked on MC and you find that the license used in previous 30 days the highest volume used is 54 Gb/ day of volume and peak is 30Gb , in this case when you see your license usage is less than 60 GB, if this persist by not going beyond the 60GB of volume and peak around 30-40Gb ,  based on your experience what is your advice ,and tell me  what amount of GB exactly I will need when this range persist ....? 

Last thing I want to understand well, is the license consumed , is the amount of data parsed and stored in indexers? The action of parsing and storing data into indexers it's what consume the license? Help me please to understand this well? 

Thank you in advance for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...