Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the default 500 MB usage valid for log of sourcetype other than fixed sourcetype of license?

MegSplunk
Path Finder
‎01-30-2014 06:26 AM

I have a single Splunk instance ( No master slave configuration ). Our Splunk license is for a fixed sourcetype. If I try to add a log file ( less than 500 MB ) of a different sourcetype ( other than the fixed sourcetype of license ), Splunk throws a license violation.

How can i allot the default (free) 500 MB usage for this second sourcetype?

Any help appreciated.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎01-30-2014 12:36 PM

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎01-30-2014 12:36 PM

There is such a thing as a single sourcetype license; although, this is usually seen in an OEM situation. I would recommend installing another instance of Splunk (either on a new server or the same server) with a 500 MB free license.

Here is how to install multiple instances of Splunk on the same server -> https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

Reply
Solved! Jump to solution

MegSplunk
Path Finder
‎02-04-2014 10:21 PM

We believed that for the logs of second sourcetype, the default limit of 500 MB will be used.

So either a separate installation or a separate license for the second sourcetype is in order. Thanks for all the help.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎01-30-2014 01:47 PM

Interesting, you learn something new every day!

So that means that you @MegSplunk are trying to break the intent of the license agreement that you have, and you're being stopped from doing that.

Just quit doing that and download a free version of Splunk, and no one will complain.

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎01-30-2014 06:56 AM

"Our Splunk license is for a fixed sourcetype". I have never heard of that, could you describe further?

The 500 MB limit (or indeed any license limit) is for the combined uncompressed size of the log files that are indexed by the Splunk instance during a 24-hour period (midnight to midnight). Splunk internal logs, which are stored in the _internal index does not count towards the license.

So perhaps there are other log files that - combined with your logs - will exceed the total allowed limit.

/K

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...