All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my license usage showing for indexes that don't exist ?

Skins
Path Finder
‎05-02-2018 07:11 PM

I am using the license usage app and i have usage being shown for indexes that arent on the system.

If i click on the index (listed in the license usage app) i'm taken to the following search (below) - what is this telling me ? series is the non-existant index name.

index="_internal" source="*metrics.log" per_index_thruput series=devices

usually if i am receiving events for an index that doesn't exist then it shows in splunk messages.

To resolve this will adding the relevant index (devices) start it populating ?

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 10:58 PM

Is weird scenario

If you are looking at the license usage per index please run this search

index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | eval host=h | bin _time span=1d | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024) | fields _time, indexname, sourcetypename, host, GB | stats sum(GB) as GB by indexname, sourcetypename, host

Once all the values are populated , search if there are any index=devices populated and let us know so that it helps our community with more insight what actually happening ..

Happy Splunking !!

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:14 PM

Nope the index does not show in the output of that search - the others do.

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 11:19 PM

If you are in situation " receiving events for an index that doesn't exist then it shows in splunk messages."

Means you are trying to send the data to unconfigured index , so you need to create the index .

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:31 PM

No i do not see those messages - as described in the initial post - i have seen those before and duly created an index

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...