https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486916#M193753 <P>We don't have privilege to forward the logs of license master to indexer(Test Environment) due to other country Rules and Regulations. Is there any other way to get total amount of data indexed per day?</P> Tue, 14 Jan 2020 06:15:05 GMT rupeshn 2020-01-14T06:15:05Z https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486912#M193749 <P>Hi,</P> <P>I was trying to get amount of data getting indexed in particular index per day and analyze it as a trend. I used below Query:</P> <P>index=_internal source=license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year.</P> <P>But I can see that i'm getting only below indexes in my result.</P> <P>default.<BR /> mcafee<BR /> msad<BR /> network<BR /> perfmon<BR /> veeammon<BR /> wineventlog<BR /> wireless<BR /> zscaler</P> <P>But when i run a search to get all indexes i.e index=* | dedup index | table index. I got 32 indexes in my results.</P> <P>I'm running this search on test Environment which acts as SH+DS+Indexer and reporting to another instance for license(License master).</P> <P>And can we search licensing on slave nodes by default or do we need to enable it explicitly?</P> <P>Could you please and let me know what is the issue here.</P> <P>Thank You!</P> Wed, 30 Sep 2020 03:43:10 GMT https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486912#M193749 rupeshn 2020-09-30T03:43:10Z https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486913#M193750 <P>hi @rupeshn</P> <P>Internal indexes and summary indexes do not count against licensing hence are not captured in license logs. <BR /> I ran this in my test environment and can confirm that I dont see any of internal indexes or summary indexes.</P> <P>Can you check if those missing indexes are summary indexes/internal indexes?</P> Tue, 14 Jan 2020 05:50:31 GMT https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486913#M193750 dvg06 2020-01-14T05:50:31Z https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486914#M193751 <P>Hi @dvg06,</P> <P>I can confirm that those are not summary/internal indexes.</P> <P>Just checked license_usage.log file in Test Environment and found the following line:</P> <P>11-28-2019 11:18:33.645 +0530 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=<A href="https://splunkl****:9089">https://splunkl****:9089</A> for usage breakdown</P> <P>?</P> Tue, 14 Jan 2020 06:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486914#M193751 rupeshn 2020-01-14T06:10:58Z https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486915#M193752 <P>Seems License master is not forwarding its logs to Indexer(Test Environment). </P> Tue, 14 Jan 2020 06:11:37 GMT https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486915#M193752 rupeshn 2020-01-14T06:11:37Z https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486916#M193753 <P>We don't have privilege to forward the logs of license master to indexer(Test Environment) due to other country Rules and Regulations. Is there any other way to get total amount of data indexed per day?</P> Tue, 14 Jan 2020 06:15:05 GMT https://community.splunk.com/t5/Splunk-Search/Query-SPlunk-internal-Index/m-p/486916#M193753 rupeshn 2020-01-14T06:15:05Z