All Apps and Add-ons

Why does the Splunk Licensing Usage app always report "No results found"?

mauiguru
Explorer

I am evaluating 4.1 under the free license and have 2 days of data, and am trying to get a feel for the indexing volume for estimating license needs.

Manager>>License shows 318MB for Peak Usage but the Splunk License Usage app always shows "No results found" for all seven sections.

I'm trying to get far more granular indexing info, does the usage app not work with a free license? Is there something additional I need to install or configure?

1 Solution

Adam
Explorer

I was actually having this same issue, but I just found the solution today 🙂

Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.

View solution in original post

Adam
Explorer

I was actually having this same issue, but I just found the solution today 🙂

Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.

mauiguru
Explorer

Awesome, that was exactly it. Now I have data in the License Usage app for the first time. This makes it drastically easier to evaluate Splunk for larger deployments. Thanks very much!

0 Karma

jrodman
Splunk Employee
Splunk Employee

I just looked into the License Usage app. It's a quite nice application, built by a customer. I'm going to write him a thanks and kudos.

I suspect you're on windows? The app seems to look in the _internal index for data sources by path, expecting that they will contain forward slashes, eg source="/*/metrics.log".

You can override these searches in etc/apps/splunk_license_usage/local/savedsearches.conf, eg:

[kBs Indexed in Past 24 Hours by Host]
search = index="_internal" source="*metrics.log" per_host_thruput | timechart sum(kb) by series

I'll send the author a note.

jrodman
Splunk Employee
Splunk Employee

Oh, maybe you're just not logged in as an admin? By default, normal users don't have access to _internaldb.

0 Karma

mauiguru
Explorer

ok, thanks. I didn't realize I was looking at a troubleshooting situation, I thought I just missed some configuration that needed to be set and perhaps it was a common issue since otherwise my setup is all defaults.

According to Manager » Forwarding and receiving » Forward data it says there are "There are no configurations of this type" so I didn't think it was forwarding all the data somewhere else. Apparently I'm significantly misunderstanding that and will consider opening a support ticket.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Probably your instance is set up to forward all its data somewhere else. Splunk Answers is a mechanism for all Splunkers (employees, customers, partners, etc) to get information on best practices, howtos, and information on how splunk parts work. It's not really a troubleshooting channel, and works poorly at this. Open a ticket at http://www.splunk.com/support

0 Karma

mauiguru
Explorer

according to manager>>indexes it's located at /opt/splunk/var/lib/splunk/_internaldb/db

However, it is size 0 with 0 events. Is there something that needs to be configured or enabled to populate this index?

0 Karma

jrodman
Splunk Employee
Splunk Employee

This sounds like you have splunk configured as a light forwarder perhaps for some reason. The question essentially beocomes, where is your index=_internal data? Seems kind of support-y, since I can't really guess the answer from here.

0 Karma

mauiguru
Explorer

btw, should that search return anything in Splunk itself? It returns "No results found" when I use it from the search bar.

0 Karma

mauiguru
Explorer

No, I am on OpenSuse 11.2 running a single Splunk instance and am not using Splunk on any windows machines at all. My data sources are the local host and a few remote syslogs feeding to directly Splunk on port 514.

Splunk itself seems to be working well, I'm just looking for details to determine the data size of various sources so that I can make intelligent choices about cost/benefit for specific event types. Other posts I've read here imply that this app does exactly that, but so far it hasn't returned any info at all.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...