Splunk Enterprise

how Splunk license is consumed? what components or product or apps or other x things that consume the license?

pacifikn
Path Finder

Greetings all!!

Hope this finds you well.

- Kindly help me to understand  how in distributed environment , how Splunk license is measured and consumed? 
 
- I want to know if it is measured on the raw data from (syslog sender/data sources) we receive in syslog server collector/management instance ?  OR  if it is measured on all the data ingested in Splunk indexers?  kindly help me to understand this?
 
- what components or apps that are also part of license consumed?
 
- What query to use to check the license usage in previous 6months.
 
Thank you in advance for your help.

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Roy99
Communicator

It will be calculated based on the amount of data being ingested at the indexer level on a 24 hr time interval irrespective of the type or source of the log.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Volume license use is measured by the number of uncompressed bytes written by the indexers to non-internal indexes.  Data sent to nullQueue does not count.

Search the license_usage.log files (index=_internal) on your License Manager to see your license history (the MC can do this for the last 30 days).  How far back you can go depends on the retention setting for _internal, which defaults to 30 days.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

pacifikn
Path Finder

Thank you @richgalloway for your response, 

I wanted to know exactly step by step  where the license started to be consumed.

Let's take this scenario, 

I receive the data from different data sources(inputs) to splunk management node where the incoming data are stored/received & configure them(data) before being indexed/stored to indexers. And in this management node it is where all the indexers , Search head , license , all are managed.

So if I hear you well ,the license will start being consumed or counted when it reaches indexers? Where exactly?

 

Other thing, how you can know if you really need 100GB or 200GB of license? 

Let's say you have checked on MC and you find that the license used in previous 30 days the highest volume used is 54 Gb/ day of volume and peak is 30Gb , in this case when you see your license usage is less than 60 GB, if this persist by not going beyond the 60GB of volume and peak around 30-40Gb ,  based on your experience what is your advice ,and tell me  what amount of GB exactly I will need when this range persist ....? 

Last thing I want to understand well, is the license consumed , is the amount of data parsed and stored in indexers? The action of parsing and storing data into indexers it's what consume the license? Help me please to understand this well? 

Thank you in advance for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

See https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/HowSplunklicensingworks

If you are ingesting a maximum of 60GB per day then your license needs to be no more than 60GB.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!