All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my license usage showing for indexes that don't exist ?

Skins
Path Finder
‎05-02-2018 07:11 PM

I am using the license usage app and i have usage being shown for indexes that arent on the system.

If i click on the index (listed in the license usage app) i'm taken to the following search (below) - what is this telling me ? series is the non-existant index name.

index="_internal" source="*metrics.log" per_index_thruput series=devices

usually if i am receiving events for an index that doesn't exist then it shows in splunk messages.

To resolve this will adding the relevant index (devices) start it populating ?

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 10:58 PM

Is weird scenario

If you are looking at the license usage per index please run this search

index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | eval host=h | bin _time span=1d | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024) | fields _time, indexname, sourcetypename, host, GB | stats sum(GB) as GB by indexname, sourcetypename, host

Once all the values are populated , search if there are any index=devices populated and let us know so that it helps our community with more insight what actually happening ..

Happy Splunking !!

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:14 PM

Nope the index does not show in the output of that search - the others do.

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 11:19 PM

If you are in situation " receiving events for an index that doesn't exist then it shows in splunk messages."

Means you are trying to send the data to unconfigured index , so you need to create the index .

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:31 PM

No i do not see those messages - as described in the initial post - i have seen those before and duly created an index

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...