Refine your search:

How does Splunk determine data is being summarized and thus not counted towards license usage?

4
1

In the latest versions of Splunk, summary indexing does not deduct from the licensed indexing capacity. How does Splunk determine if data is summary data? Is it through use of the summary search commands (e.g. sistats, sichart, collect)? Does it exclude indexes prefaced with 'summary?' Do you have to check the "Enable Summary Indexing" box when scheduling the summary search?

asked 15 Oct '10, 20:14

hulahoop's gravatar image

hulahoop ♦
2.6k141151
accept rate: 40%

edited 15 Oct '10, 22:26

2 Answers:
oldestnewestmost voted
3

Only data that is populated through a summary search command is exempt from the daily licensing volume.

link

answered 15 Oct '10, 22:08

matt's gravatar image

matt ♦♦
3.5k121140
accept rate: 81%

For clarity the search commands are sitop, sirare, sistats, sichart, sitimechart and collect.

(15 Oct '10, 22:16) hulahoop ♦

Also, this is only true for versions 4.0.10 / 4.1 and later. In earlier versions, summary indexing counted towards your license just like any other input.

(16 Oct '10, 01:05) Lowell ♦
1

Generally, summary index data is not counted against license volume. More specifically, the summary indexing command collect generates data with the SI stash sourcetype and this is not counted against license. Using the si- commands in other ways, or using collect and overriding the sourcetype will count against your license.

link

answered 08 Dec '10, 00:50

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×235
×50

Asked: 15 Oct '10, 20:14

Seen: 1,085 times

Last updated: 08 Dec '10, 00:50

Related questions

Do multiple summary indexes affect license usage?

Bucket command time boundary issues

Copyright © 2005-2012 Splunk Inc. All rights reserved.