Module 3 - Licensing Splunk

Question 1

License types

Answer 1

Enterprise trail - valid for 60 days. Up to 500mb logs a day
Enterprise
Free license - disables alerts, schedule searches, authentication, clustering, distributed search, forwarding to non splunk servers, summarization
Forwarder license

Question 2

Ingest pricing

Answer 2

Based in data volumes
Traditional method
Monitored in MC AND Settings > Licensing

Question 3

Workload pricing

Answer 3

Based on compute capacity
Monitored in MC (vCPU) or cloud monitoring console (for SVCs)

Question 4

Daily quota includes

Answer 4

Data from all sources that is indexed
Events - measured as data (full size)
Metrics - first 150 bytes per metric event

Question 5

Daily quota does not include

Answer 5

Replicated data (index clusters)
Summary indexes
Internal logs: _internal, _audit, indexes
Components of the index: metadata, tsidx, etc

Question 6

License requirements by server role and data

Answer 6

Search heads, deployments servers require license even if not ingesting data
Indexers need license to determine amount of allowed ingested data

Question 7

Licenses folder location

Answer 7

SPLUNK_HOME/etc/licenses

Question 8

Add license from CLI

Answer 8

Splunk add license <key></key>

Question 9

Multiple licenses behaviour

Answer 9

Multiple licenses stacked
All instances collectively share stack entitlement

Question 10

License pooling

Answer 10

Licenses can be subdivided and assigned to indexer groups (multi tenant scenario)
Most common single pool with shared entitlement
Warnings and violations per pool

Question 11

License alerts

Answer 11

Occurs when indexing exceeds the allocated daily quota in a pool
View from WebUI > Messages

Cleared at midnight when daily allocation is reset; may result in a Warning

Question 12

License warnings

Answer 12

Occurs if an alert is triggered and license capacity is not increased by midnight
Occurs only once per day

Question 13

License violations

Answer 13

Occur after 5 warnings in a rolling 30 day period
Does not affect indexing or searches
Searches are disabled for licenses < 100 GB/day with 45 warnings in a rolling 60-day period
Require reset key from splunk

Question 14

Monitoring console

Answer 14

On prem and cloud (CMC)

Provides vCPU / SVC usage across workloads
– By search type, indexes, and source types, etc

Question 15

Splunk app for chargeback

Answer 15

On prem and cloud

Provides Search Resource Usage
(SRU) across business units – 1 SRU ~= 1 SVC
Provides forecasts using Splunk Machine Learning

Question 16

Event and metric licensing

Answer 16

Metrics data draws from the same license quota as event data

Question 17

Metric cap

Answer 17

Metrics measurement is capped at 150 bytes per metric event

Question 18

What components require enterprise licensing

Answer 18

Search Heads, Indexers, Heavy Forwarders, Deployment Server and other Splunk Enterprise instances require the Enterprise license even if they are not ingesting data.

Question 19

What component doesn’t require Enterprise licensing

Answer 19

Universal forwarder

Question 20

Alerts, warning and violation transition

Answer 20

Indexing that exceeds the allocated daily quota in a pool is an alert. An alert not fixed by midnight turns into a warning. 5 or more warnings on an enforced Enterprise license (or 3 warnings on a Free license) in a rolling 30-day period is a violation