Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how Splunk license is consumed? what components or product or apps or other x things that consume the license?

pacifikn
Communicator
‎05-06-2021 01:32 AM

Greetings all!!

Hope this finds you well.

- Kindly help me to understand  how in distributed environment , how Splunk license is measured and consumed? 
 
- I want to know if it is measured on the raw data from (syslog sender/data sources) we receive in syslog server collector/management instance ?  OR  if it is measured on all the data ingested in Splunk indexers?  kindly help me to understand this?
 
- what components or apps that are also part of license consumed?
 
- What query to use to check the license usage in previous 6months.
 
Thank you in advance for your help.

 

 

Labels (2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 05:24 AM

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Roy_9
Motivator
‎05-06-2021 08:53 PM

It will be calculated based on the amount of data being ingested at the indexer level on a 24 hr time interval irrespective of the type or source of the log.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-06-2021 10:51 AM

Volume license use is measured by the number of uncompressed bytes written by the indexers to non-internal indexes.  Data sent to nullQueue does not count.

Search the license_usage.log files (index=_internal) on your License Manager to see your license history (the MC can do this for the last 30 days).  How far back you can go depends on the retention setting for _internal, which defaults to 30 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pacifikn
Communicator
‎05-06-2021 08:44 PM

Thank you @richgalloway for your response, 

I wanted to know exactly step by step  where the license started to be consumed.

Let's take this scenario, 

I receive the data from different data sources(inputs) to splunk management node where the incoming data are stored/received & configure them(data) before being indexed/stored to indexers. And in this management node it is where all the indexers , Search head , license , all are managed.

So if I hear you well ,the license will start being consumed or counted when it reaches indexers? Where exactly?

 

Other thing, how you can know if you really need 100GB or 200GB of license? 

Let's say you have checked on MC and you find that the license used in previous 30 days the highest volume used is 54 Gb/ day of volume and peak is 30Gb , in this case when you see your license usage is less than 60 GB, if this persist by not going beyond the 60GB of volume and peak around 30-40Gb ,  based on your experience what is your advice ,and tell me  what amount of GB exactly I will need when this range persist ....? 

Last thing I want to understand well, is the license consumed , is the amount of data parsed and stored in indexers? The action of parsing and storing data into indexers it's what consume the license? Help me please to understand this well? 

Thank you in advance for your help.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 05:24 AM

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...