All Apps and Add-ons

Why does the Splunk Licensing Usage app always report "No results found"?

Explorer

I am evaluating 4.1 under the free license and have 2 days of data, and am trying to get a feel for the indexing volume for estimating license needs.

Manager>>License shows 318MB for Peak Usage but the Splunk License Usage app always shows "No results found" for all seven sections.

I'm trying to get far more granular indexing info, does the usage app not work with a free license? Is there something additional I need to install or configure?

1 Solution

Explorer

I was actually having this same issue, but I just found the solution today 🙂

Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.

View solution in original post

Explorer

I was actually having this same issue, but I just found the solution today 🙂

Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.

View solution in original post

Explorer

Awesome, that was exactly it. Now I have data in the License Usage app for the first time. This makes it drastically easier to evaluate Splunk for larger deployments. Thanks very much!

0 Karma

Splunk Employee
Splunk Employee

I just looked into the License Usage app. It's a quite nice application, built by a customer. I'm going to write him a thanks and kudos.

I suspect you're on windows? The app seems to look in the _internal index for data sources by path, expecting that they will contain forward slashes, eg source="/*/metrics.log".

You can override these searches in etc/apps/splunk_license_usage/local/savedsearches.conf, eg:

[kBs Indexed in Past 24 Hours by Host]
search = index="_internal" source="*metrics.log" per_host_thruput | timechart sum(kb) by series

I'll send the author a note.

Splunk Employee
Splunk Employee

Oh, maybe you're just not logged in as an admin? By default, normal users don't have access to _internaldb.

0 Karma

Explorer

ok, thanks. I didn't realize I was looking at a troubleshooting situation, I thought I just missed some configuration that needed to be set and perhaps it was a common issue since otherwise my setup is all defaults.

According to Manager » Forwarding and receiving » Forward data it says there are "There are no configurations of this type" so I didn't think it was forwarding all the data somewhere else. Apparently I'm significantly misunderstanding that and will consider opening a support ticket.

0 Karma

Splunk Employee
Splunk Employee

Probably your instance is set up to forward all its data somewhere else. Splunk Answers is a mechanism for all Splunkers (employees, customers, partners, etc) to get information on best practices, howtos, and information on how splunk parts work. It's not really a troubleshooting channel, and works poorly at this. Open a ticket at http://www.splunk.com/support

0 Karma

Explorer

according to manager>>indexes it's located at /opt/splunk/var/lib/splunk/_internaldb/db

However, it is size 0 with 0 events. Is there something that needs to be configured or enabled to populate this index?

0 Karma

Splunk Employee
Splunk Employee

This sounds like you have splunk configured as a light forwarder perhaps for some reason. The question essentially beocomes, where is your index=_internal data? Seems kind of support-y, since I can't really guess the answer from here.

0 Karma

Explorer

btw, should that search return anything in Splunk itself? It returns "No results found" when I use it from the search bar.

0 Karma

Explorer

No, I am on OpenSuse 11.2 running a single Splunk instance and am not using Splunk on any windows machines at all. My data sources are the local host and a few remote syslogs feeding to directly Splunk on port 514.

Splunk itself seems to be working well, I'm just looking for details to determine the data size of various sources so that I can make intelligent choices about cost/benefit for specific event types. Other posts I've read here imply that this app does exactly that, but so far it hasn't returned any info at all.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!