understanding your splunk license - .conf2017 | the 8th ... · 2 disclaimer. during the course of...
TRANSCRIPT
2
Disclaimer. During the course of this presentation, we may make forward looking statements
regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors
currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its
live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward
looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice.
It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or functionality in a future release.
2
3
About Function1.
> Founded in 2007, delivering:
• Products
• World-Class Services
• Customized Solutions
3
> Practices: • Operational Intelligence • Data Security • Drupal • WebCenter Sites
4
> splunk> Delivery Partner since 2010
> Practice of Eleven Certified splunk> Architects
> Collaborated with most of the biggest splunk> Customers in the world
> Full Lifecycle Engagements:
4
Installation & Upgrades.
Health Checks. Data Migration. Dashboard & App Development.
Education Services.
Performance Tuning.
The Function1 OI Advantage.
5
About Me.
> Senior Consultant at Function1
> BS in Finance and Legal Studies
> MBA in Financial Management
> Diehard Cincinnati Bengals Fan!
[email protected] Think who-dey.
6
How Does Licensing Work? > splunk> takes in data from your sources and indexes it
> Licensing specifies how much data you can index per CALENDAR
day - Midnight to Midnight by the clock on the license master
> Once you've already indexed data, there is no way to un-index data
> Next Steps:
• Get additional license room
o Purchasing a bigger license
o Rearrange license pools if you have a pool with extra license
room
• Use less of the license
6
7
Types of Licenses. > In general there are four types of licenses:
7
The Enterprise License.
The Free License.
The Forwarder License.
The Beta License.
8
Enterprise License. > Standard splunk> license
> Allows you to use all splunk>’s Enterprise features, including:
• Authentication
• Deployed Management
• Scheduling of Alerts
• Role-based Access controls
> Enterprise Trial License:
• 500 MB/day upon initial registry
• Expires 60 days after start of using splunk>
• After expiration, must switch to Free License
8
9
Free License. > Includes 500 MB/day of indexing volume, is free, and has no
expiration date
> No login
> Cannot Add more roles or create user accounts
> Searches are run against all public indexes, “index=*’ and
restrictions on search such as user quotas, maximum per-search time
ranges, search filters are not supported
> The capability system is disabled,, all capabilities are enabled for
users accessing splunk>
9
10
Forwarder License. > License allows forwarding (but not indexing) of
unlimited data
> Enables security on the instance so that users must
supply username and password to access it
> Forwarder licenses are included with splunk>
10
11
Beta License. > splunk>’s Beta releases require different license that
is not compatible with other splunk> releases
> If you are evaluating a Beta release of splunk> it will
not run with Free or Enterprise License
> If you are evaluating a Beta version of splunk>, it will
come with its own license
11
12
Licenses for Search Head. > Although search heads don’t usually index any data locally, you will
still want to use a license to restrict access to them
> There is no “search head license”
> splunk> recommends that, instead of assigning a separate license to
each peer, you add the search heads to an Enterprise license pool
even if they are not expected to index any data
12
14
Configure a License Master. > There are two basic styles of license master:
1. Standalone License Master
2. Central License Master
14
15
Standalone License Master. > If you have a single splunk> indexer and want to
manage its licenses, you can:
1. Run it as its own license master
2. Install one or more Enterprise licenses on it and it
will manage itself as a license slave
15
18
Central License Master. > More than one indexer and want to manage from a central location
> Recommended to make a search head the license master
> If you have multiple search heads, recommend to have search heads
that are not license masters distribute searches to the license master
1. Run searches against the log
2. i.e., If your license is running out, visible as message to all
search heads
18
19
License Master and Slave Connection. > When you configure a license master instance and add license slaves
to it, the license slaves communicate their usage to the license
master every minute
> If the license master is down or unreachable for any reason, the
license slave starts a 72-hour timer
> If the license slave cannot reach the license master for 72 hours,
search is blocked on the license slave (although indexing continues).
Users will not be able to search data in the indexes on the license
slave until that slave can reach the master again
19
20
Configure License Slave. 1. On the indexer (or search head) you want to configure
as a license slave, log into splunk> Web and navigate to
Settings > Licensing
2. Click “Change to slave”
20
21
Configure License Slave. 3. Switch the radio button from Designate this splunk> instance, <this
indexer/searchhead>, as the master license server to Designate a
different Splunk instance as the master license server
4. Specify the license master to which this license slave should report
21
To switch back, navigate to Settings > Licensing and click Switch to local master. If this instance does not already have an Enterprise license installed, you must restart splunk> for this to take effect.
23
License Pools. > splunk> automatically creates an Enterprise license stack when
adding Enterprise License to new server
> splunk> Enterprise Stack defines a default license pool for it called
auto_generated_pool_enterprise
> Default configuration adds any license slaves that connect to license
master to auto_generated_pool_enterprise
> This can be edited!
23
24
Edit Existing License Pool. Next to the license pool
you want to edit, click
Edit. The Edit license
pool page is displayed
Before you can create a new
license pool from the default
Enterprise stack, you must make
some indexing volume available
by either editing the
auto_generated_pool_enterprise
pool and reducing its allocation,
or deleting the pool entirely.
24
25
Create a New License Pool. 1. Create new license pool page
is displayed
2. Specify a name and optionally,
a description for the pool
3. Set the allocation for this pool
4. Specify how indexers are to
access this pool. The options
are:
• Any indexer in your
environment that is
configured as license
slave can connect to this
license pool and use the
license allocation within it
• Only indexers that you
specify can connect to this
pool and use the license
allocation within it
25
26
What Counts Towards the License? 1. Any host performing indexing must be licensed to do so
2. splunk> INTERNAL indexes do not count towards licensing
• i.e., _internal,_audit
3. Re-indexing frozen data does not count towards licensing
• i.e., Archived frozen buckets
4. Summary indexing volume is not counted against your license
26
• In an event of a license
violation, summary
indexing will halt like
any other non-internal
search behavior
27
License Violations vs. Warnings. > Warnings and violations occur when you exceed the maximum indexing volume
allowed for your license
> Warning
• Exceed your license daily volume on any one calendar day
• Message persists for 14 days
• Have until midnight of the license master time to resolve
> Violations
• Five or more warnings on an Enterprise License or Three on a Free License in a
rolling 30 day period
• Searching will be disabled for the offending pools
• splunk> does not stop indexing, only blocks search
27
28
What a License Warning Looks Like? > Warnings shown on license master and slaves on top banner
> For further details, go to Settings > Licensing
> Click on the warning for further information
28
29
Correcting License Warnings. > Daily License will reset at midnight, but fix the situation to prevent
another warning the next day
> Next Steps:
• Get additional license room
o Purchasing a bigger license
o Rearrange license pools if you have a pool with extra
license room
• Use less of the license
29
30
Correcting License Violations. > Obtain temporary resent through your splunk> Sales Representative
> Reset will include a temporary license that you add to the license
master
> Reassess Licensing needs if violation occurs more than once!
> How do we avoid violations???
30
31
How to Avoid License Violations. > splunk> 6 changed the game!
> License Usage Report
• Created to help understand and prevent license violation
• Provides a fast and easy approach to determine the
consumption of your splunk> license
• Immediate insight into your daily Splunk indexing volume, as
well as any license warnings
• Comprehensive view of the last 30 days of your splunk> usage
with reporting options.
31
32
Using the License Usage Report. > Access LURV on your deployment’s license master
> Settings > Licensing > Usage Report
32
35
Creating an Alert. > Any dashboard panel on the License Usage Report can become
an alert!
> Steps:
1. Click on one of the searches in the panel
2. Alter the search to create a threshold
3. Save as an alert!
35
39
Further Insight.
39
index=_internal source=*license_usage.log type="Usage" | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) AS bytes by _time idx st | eval GB=bytes/1024/1024/1024