I am evaluating 4.1 under the free license and have 2 days of data, and am trying to get a feel for the indexing volume for estimating license needs.
Manager>>License shows 318MB for Peak Usage but the Splunk License Usage app always shows "No results found" for all seven sections.
I'm trying to get far more granular indexing info, does the usage app not work with a free license? Is there something additional I need to install or configure?
I was actually having this same issue, but I just found the solution today 🙂
Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.
I was actually having this same issue, but I just found the solution today 🙂
Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.
Awesome, that was exactly it. Now I have data in the License Usage app for the first time. This makes it drastically easier to evaluate Splunk for larger deployments. Thanks very much!
I just looked into the License Usage app. It's a quite nice application, built by a customer. I'm going to write him a thanks and kudos.
I suspect you're on windows? The app seems to look in the _internal index for data sources by path, expecting that they will contain forward slashes, eg source="/*/metrics.log".
You can override these searches in etc/apps/splunk_license_usage/local/savedsearches.conf, eg:
[kBs Indexed in Past 24 Hours by Host]
search = index="_internal" source="*metrics.log" per_host_thruput | timechart sum(kb) by series
I'll send the author a note.
Oh, maybe you're just not logged in as an admin? By default, normal users don't have access to _internaldb.
ok, thanks. I didn't realize I was looking at a troubleshooting situation, I thought I just missed some configuration that needed to be set and perhaps it was a common issue since otherwise my setup is all defaults.
According to Manager » Forwarding and receiving » Forward data it says there are "There are no configurations of this type" so I didn't think it was forwarding all the data somewhere else. Apparently I'm significantly misunderstanding that and will consider opening a support ticket.
Probably your instance is set up to forward all its data somewhere else. Splunk Answers is a mechanism for all Splunkers (employees, customers, partners, etc) to get information on best practices, howtos, and information on how splunk parts work. It's not really a troubleshooting channel, and works poorly at this. Open a ticket at http://www.splunk.com/support
according to manager>>indexes it's located at /opt/splunk/var/lib/splunk/_internaldb/db
However, it is size 0 with 0 events. Is there something that needs to be configured or enabled to populate this index?
This sounds like you have splunk configured as a light forwarder perhaps for some reason. The question essentially beocomes, where is your index=_internal data? Seems kind of support-y, since I can't really guess the answer from here.
btw, should that search return anything in Splunk itself? It returns "No results found" when I use it from the search bar.
No, I am on OpenSuse 11.2 running a single Splunk instance and am not using Splunk on any windows machines at all. My data sources are the local host and a few remote syslogs feeding to directly Splunk on port 514.
Splunk itself seems to be working well, I'm just looking for details to determine the data size of various sources so that I can make intelligent choices about cost/benefit for specific event types. Other posts I've read here imply that this app does exactly that, but so far it hasn't returned any info at all.