https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248930#M3844 <P>Hi kalyani,</P> <P>Maybe you can run the query from <A href="https://answers.splunk.com/answers/206924/how-to-get-the-license-usage-by-host-with-a-licens.html">How to get the License usage by host - (with a license master-slave setup)</A></P> <P>It's -</P> <PRE><CODE>index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f </CODE></PRE> <P>Just to ensure that we are on the same page ; -)</P> Mon, 28 Nov 2016 14:52:01 GMT ddrillic 2016-11-28T14:52:01Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248929#M3843 <P>Hi Team,</P> <P>I need help on below scenario:</P> <P>We have master-slave architecture in Splunk: 1 master indexer and 3 slave indexers.<BR />We have 5 GB of license.<BR />From a few days, it is noticed that Splunk _internal logs (splunkd.log,metrics.log,mongod.logs) are consuming the license.<BR />But according to the answers available here, Splunk should not consider the _internal data in license usage.<BR />Please find below links for the same:</P> <P><A href="https://answers.splunk.com/answers/302907/does-the-indexing-of-splunk-internal-logs-such-as.html%E2%80%8B" target="_blank">https://answers.splunk.com/answers/302907/does-the-indexing-of-splunk-internal-logs-such-as.html​</A></P> <P>Need some help to fix the above issue.</P> <P>Thanks &amp; Regards,<BR />kalyani Landge</P> Wed, 17 Jun 2020 00:25:03 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248929#M3843 kalyanilandge 2020-06-17T00:25:03Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248930#M3844 <P>Hi kalyani,</P> <P>Maybe you can run the query from <A href="https://answers.splunk.com/answers/206924/how-to-get-the-license-usage-by-host-with-a-licens.html">How to get the License usage by host - (with a license master-slave setup)</A></P> <P>It's -</P> <PRE><CODE>index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f </CODE></PRE> <P>Just to ensure that we are on the same page ; -)</P> Mon, 28 Nov 2016 14:52:01 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248930#M3844 ddrillic 2016-11-28T14:52:01Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248931#M3845 <P>Hi Drillic ,</P> <P>Thank you for the query and it is showing the data indexed on each slave.<BR /> But my question is why _internal logs are considering in license.<BR /> Is there any settings by which we can define which all logs should be considered in license.</P> <P>Please suggest something.</P> Wed, 30 Nov 2016 08:00:23 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248931#M3845 kalyanilandge 2016-11-30T08:00:23Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248932#M3846 <P>may we know, how do you say that _internal logs are consuming the license? i</P> <P>when you run this, do you get "_internal" is listed as well?</P> <PRE> index=_internal source=*license_usage.log* type=Usage | timechart span=1d sum(b) AS volume_b by idx</PRE> Wed, 30 Nov 2016 09:31:25 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248932#M3846 inventsekar 2016-11-30T09:31:25Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248933#M3847 <P>I can say this because when i searched for the data using all the index created by me for all the HF , It is showing no results found.<BR /> But when i am searching for the same HF using index=_internal it is giving more number of events which is in lakhs.<BR /> Am i thinking in a wrong direction?</P> Thu, 01 Dec 2016 10:21:15 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248933#M3847 kalyanilandge 2016-12-01T10:21:15Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248934#M3848 <P>index=_internal contains all info about the splunk servers, including the license info. but, these events will have a field called "idx" (the name of the index).</P> <P>_internal indexes can not consume license. <BR /> and also, the summary indexes dont consume license. </P> <P>can you please update us your search query.. </P> Fri, 02 Dec 2016 08:26:59 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248934#M3848 inventsekar 2016-12-02T08:26:59Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248935#M3849 <P>Please find the below query :</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse | addcoltotals </CODE></PRE> <P>There is no other index data on the hosts except _internal , still it is giving 5 MB,6 MB data some 500 hosts .There are 1000 hosts and we have 5 GB license only.<BR /> what other possible things should I check ?</P> Mon, 12 Dec 2016 06:36:08 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248935#M3849 kalyanilandge 2016-12-12T06:36:08Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248936#M3850 <P>Splunk internal sourcetypes will not count against license usage as contained in "_index". However, if you try and add data sources and put them in _internal, those will count against the license. Have you added in data sources and put them in _internal?</P> Tue, 13 Dec 2016 06:16:17 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248936#M3850 esix_splunk 2016-12-13T06:16:17Z https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248937#M3851 <P>I am not adding any data sources in _internal.<BR /> And I am not getting any data in the indexes created by me still license in consumed, that is the reason I am considering that _internal data in consuming license.<BR /> Is my understanding correct or not?<BR /> Am I using the wrong query to check license usage.</P> Mon, 02 Jan 2017 11:19:17 GMT https://community.splunk.com/t5/Installation/Why-are-our-Splunk-internal-logs-consuming-license/m-p/248937#M3851 kalyanilandge 2017-01-02T11:19:17Z