All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my license usage showing for indexes that don't exist ?

Skins
Path Finder
‎05-02-2018 07:11 PM

I am using the license usage app and i have usage being shown for indexes that arent on the system.

If i click on the index (listed in the license usage app) i'm taken to the following search (below) - what is this telling me ? series is the non-existant index name.

index="_internal" source="*metrics.log" per_index_thruput series=devices

usually if i am receiving events for an index that doesn't exist then it shows in splunk messages.

To resolve this will adding the relevant index (devices) start it populating ?

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 10:58 PM

Is weird scenario

If you are looking at the license usage per index please run this search

index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | eval host=h | bin _time span=1d | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024) | fields _time, indexname, sourcetypename, host, GB | stats sum(GB) as GB by indexname, sourcetypename, host

Once all the values are populated , search if there are any index=devices populated and let us know so that it helps our community with more insight what actually happening ..

Happy Splunking !!

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:14 PM

Nope the index does not show in the output of that search - the others do.

0 Karma
Reply

ssadanala1
Contributor
‎05-02-2018 11:19 PM

If you are in situation " receiving events for an index that doesn't exist then it shows in splunk messages."

Means you are trying to send the data to unconfigured index , so you need to create the index .

0 Karma
Reply

Skins
Path Finder
‎05-02-2018 11:31 PM

No i do not see those messages - as described in the initial post - i have seen those before and duly created an index

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...