Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Massive License Usage - Splunk App for Windows Infrastructure

servercentraljo
New Member
‎10-12-2015 11:29 AM

Installed Splunk on Friday, added my AD controllers and my Exchange server, followed all the instructions, and we've done like 60 GB a day for the past few days. Is this just loading in old data or something or is there a switch somewhere I messed up? We have 90 users and a simple domain structure, I can't imagine we're ingesting this much data a day in AD logs.

Setup is very simple: master head with 2 indexers, universal forwarder on each of the Windows hosts, deployment server app setting each universal forwarder to get a copy of Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-2012R2 (we're pure 2012 R2). We also push the indexer IPs via a deployment app. The outputs.conf has both indexers in a single server stanza, which I believe means it load balances?

Either way, I can't justify buying 100GB of license for 6 servers.

0 Karma
Reply

servercentraljo
New Member
‎10-12-2015 02:17 PM

I disabled all perfmon on all my Windows hosts, and when I check the indexing volume it tells me it's all one of my AD servers and one of my Exchange servers. Yesterday's total use was 189GB on the windows index, but the entire size of all my indexes is just 20GB across both index servers. I don't understand how log data could be 189GB on just 6 servers.

0 Karma
Reply

ConnorG
Path Finder
‎10-12-2015 11:51 AM

You can use this view to see which sources are using up a large amount of volume on your Splunk server.
http(s)://your_server/en-GB/app/search/indexing_volume

If you are sending perfmon stats from each host you may want to change the interval the metrics are sent at. I've got my boxes all sending stats every 20 seconds (as seen below) and that works just fine. I believe the default for the Windows App is 10 seconds. Below is an example from inputs.conf

[perfmon://CPU Load]
counters = % Processor Time;% User Time
instances = _Total
interval = 20
object = Processor
index=pt_infra_monitoring

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...