Neena Bhutiani | Senior Consultant, Function1

Understanding your Splunk License

www.function1.com

2

Disclaimer. During the course of this presentation, we may make forward looking statements

regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors

currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its

live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward

looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice.

It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or

functionality described or to include any such feature or functionality in a future release.

2  

3

About Function1.

>  Founded in 2007, delivering:

•  Products

•  World-Class Services

•  Customized Solutions

3  

>  Practices: •  Operational Intelligence •  Data Security •  Drupal •  WebCenter Sites

4

>  splunk> Delivery Partner since 2010

>  Practice of Eleven Certified splunk> Architects

>  Collaborated with most of the biggest splunk> Customers in the world

>  Full Lifecycle Engagements:

4  

Installation & Upgrades.

Health Checks. Data Migration. Dashboard & App Development.

Education Services.

Performance Tuning.

The Function1 OI Advantage.

5

About Me.

>  Senior Consultant at Function1

>  BS in Finance and Legal Studies

>  MBA in Financial Management

>  Diehard Cincinnati Bengals Fan!

neena@function1.com Think who-dey.

6

How Does Licensing Work? >  splunk> takes in data from your sources and indexes it

>  Licensing specifies how much data you can index per CALENDAR

day - Midnight to Midnight by the clock on the license master

>  Once you've already indexed data, there is no way to un-index data

>  Next Steps: 

•  Get additional license room

o Purchasing a bigger license

o Rearrange license pools if you have a pool with extra license

room

•  Use less of the license

6  

7

Types of Licenses. >  In general there are four types of licenses:

7  

The Enterprise License.

The Free License.

The Forwarder License.

The Beta License.

8

Enterprise License. >  Standard splunk> license

>  Allows you to use all splunk>’s Enterprise features, including:

•  Authentication

•  Deployed Management

•  Scheduling of Alerts

•  Role-based Access controls

>  Enterprise Trial License:

•  500 MB/day upon initial registry

•  Expires 60 days after start of using splunk>

•  After expiration, must switch to Free License

8  

9

Free License. >  Includes 500 MB/day of indexing volume, is free, and has no

expiration date

>  No login

>  Cannot Add more roles or create user accounts

>  Searches are run against all public indexes, “index=*’ and

restrictions on search such as user quotas, maximum per-search time

ranges, search filters are not supported

>  The capability system is disabled,, all capabilities are enabled for

users accessing splunk>

9  

10

Forwarder License. > License allows forwarding (but not indexing) of

unlimited data

> Enables security on the instance so that users must

supply username and password to access it

> Forwarder licenses are included with splunk>

10  

11

Beta License. > splunk>’s Beta releases require different license that

is not compatible with other splunk> releases

> If you are evaluating a Beta release of splunk> it will

not run with Free or Enterprise License

> If you are evaluating a Beta version of splunk>, it will

come with its own license

11  

12

Licenses for Search Head. >  Although search heads don’t usually index any data locally, you will

still want to use a license to restrict access to them

>  There is no “search head license”

>  splunk> recommends that, instead of assigning a separate license to

each peer, you add the search heads to an Enterprise license pool

even if they are not expected to index any data

12  

13

What requires a license?

14

Configure a License Master. > There are two basic styles of license master:

1.  Standalone License Master

2.  Central License Master

14  

15

Standalone License Master. >  If you have a single splunk> indexer and want to

manage its licenses, you can:

1.  Run it as its own license master

2.  Install one or more Enterprise licenses on it and it

will manage itself as a license slave

15  

16

Add a New License. > Navigate to Settings > Licensing

> Click “Add license”

16  

17

Add a New License.

17  

18

Central License Master. >  More than one indexer and want to manage from a central location

>  Recommended to make a search head the license master

>  If you have multiple search heads, recommend to have search heads

that are not license masters distribute searches to the license master

1.  Run searches against the log

2.  i.e., If your license is running out, visible as message to all

search heads

18  

19

License Master and Slave Connection. >  When you configure a license master instance and add license slaves

to it, the license slaves communicate their usage to the license

master every minute

>  If the license master is down or unreachable for any reason, the

license slave starts a 72-hour timer

>  If the license slave cannot reach the license master for 72 hours,

search is blocked on the license slave (although indexing continues).

Users will not be able to search data in the indexes on the license

slave until that slave can reach the master again

19  

20

Configure License Slave. 1.  On the indexer (or search head) you want to configure

as a license slave, log into splunk> Web and navigate to

Settings > Licensing

2.  Click “Change to slave”

20  

21

Configure License Slave. 3.  Switch the radio button from Designate this splunk> instance, <this

indexer/searchhead>, as the master license server to Designate a

different Splunk instance as the master license server

4.  Specify the license master to which this license slave should report

21  

To switch back, navigate to Settings > Licensing and click Switch to local master. If this instance does not already have an Enterprise license installed, you must restart splunk> for this to take effect.

22

Groups, Stacks, & Pools.

22  

23

License Pools. >  splunk> automatically creates an Enterprise license stack when

adding Enterprise License to new server

>  splunk> Enterprise Stack defines a default license pool for it called

auto_generated_pool_enterprise

>  Default configuration adds any license slaves that connect to license

master to auto_generated_pool_enterprise

>  This can be edited!

23  

24

Edit Existing License Pool. Next to the license pool

you want to edit, click

Edit. The Edit license

pool page is displayed

Before you can create a new

license pool from the default

Enterprise stack, you must make

some indexing volume available

by either editing the

auto_generated_pool_enterprise

pool and reducing its allocation,

or deleting the pool entirely.

24  

25

Create a New License Pool. 1.  Create new license pool page

is displayed

2.  Specify a name and optionally,

a description for the pool

3.  Set the allocation for this pool

4.  Specify how indexers are to

access this pool. The options

are:

•  Any indexer in your

environment that is

configured as license

slave can connect to this

license pool and use the

license allocation within it

•  Only indexers that you

specify can connect to this

pool and use the license

allocation within it

25  

26

What Counts Towards the License? 1.  Any host performing indexing must be licensed to do so

2.  splunk> INTERNAL indexes do not count towards licensing

•  i.e., _internal,_audit

3.  Re-indexing frozen data does not count towards licensing

•  i.e., Archived frozen buckets

4.  Summary indexing volume is not counted against your license

26  

•  In an event of a license

violation, summary

indexing will halt like

any other non-internal

search behavior

27

License Violations vs. Warnings. >  Warnings and violations occur when you exceed the maximum indexing volume

allowed for your license

>  Warning

•  Exceed your license daily volume on any one calendar day

•  Message persists for 14 days

•  Have until midnight of the license master time to resolve

>  Violations

•  Five or more warnings on an Enterprise License or Three on a Free License in a

rolling 30 day period

•  Searching will be disabled for the offending pools

•  splunk>  does not stop indexing, only blocks search

27  

28

What a License Warning Looks Like? >  Warnings shown on license master and slaves on top banner

>  For further details, go to Settings > Licensing

>  Click on the warning for further information

28  

29

Correcting License Warnings. >  Daily License will reset at midnight, but fix the situation to prevent

another warning the next day

>  Next Steps:

•  Get additional license room

o  Purchasing a bigger license

o  Rearrange license pools if you have a pool with extra

license room

•  Use less of the license

29  

30

Correcting License Violations. >  Obtain temporary resent through your splunk> Sales Representative

>  Reset will include a temporary license that you add to the license

master

>  Reassess Licensing needs if violation occurs more than once!

>  How do we avoid violations???

30  

31

How to Avoid License Violations. >  splunk> 6 changed the game!

>  License Usage Report

•  Created to help understand and prevent license violation

•  Provides a fast and easy approach to determine the

consumption of your splunk>  license

•  Immediate insight into your daily Splunk indexing volume, as

well as any license warnings

•  Comprehensive view of the last 30 days of your splunk>  usage

with reporting options.

31  

32

Using the License Usage Report. >  Access LURV on your deployment’s license master

>  Settings > Licensing > Usage Report

32  

33

Today’s Usage.

33  

34

Previous 30 Days.

34  

35

Creating an Alert. >  Any dashboard panel on the License Usage Report can become

an alert!

>  Steps:

1.  Click on one of the searches in the panel

2.  Alter the search to create a threshold

3.  Save as an alert!

35  

36

Today’s Usage.

36  

37

Creating an Alert.

37  

38

Creating an Alert.

38  

39

Further Insight.

39  

index=_internal source=*license_usage.log type="Usage" | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) AS bytes by _time idx st | eval GB=bytes/1024/1024/1024

Thank You.

www.function1.com