Hi, looking at volume indexed I see quite few MB of indexed splunk logs, the question is are these indexing counted toward our license? below are the log files I am talking about.
/apps/tparty/splunk/var/log/splunk/web_access.log 0.256985665 /apps/tparty/splunk/var/log/splunk/splunkd_access.log 23.090337752 /apps/tparty/splunk/var/log/splunk/splunkd.log.1 23.761911393 /apps/tparty/splunk/var/log/splunk/splunkd.log 101.839995384 /apps/tparty/splunk/var/log/splunk/scheduler.log 4.307683944 /apps/tparty/splunk/var/log/splunk/metrics.log.5 23.704051972 /apps/tparty/splunk/var/log/splunk/metrics.log.4 23.704115867 /apps/tparty/splunk/var/log/splunk/metrics.log.3 18.331140518 /apps/tparty/splunk/var/log/splunk/metrics.log.2 23.706820488 /apps/tparty/splunk/var/log/splunk/metrics.log.1 21.531718254 /apps/tparty/splunk/var/log/splunk/metrics.log 6.729707730 /apps/tparty/splunk/etc/apps/sample_app/logs/maillog.1 5.304664611 /apps/tparty/splunk/etc/apps/sample_app/logs/maillog 2.542978287
that is good to know thanks!
then what start -> index activity -> indexing volume used for? what I need to find out is how much indexing counted toward our license each source, source type or host is forwarding.
Actual licensed-counted volume is different and only reported once per day in the internal license_audit.log file. You can see it by
index=_internal source=*license_audit.log | timechart span=1d sum(todaysBytesIndexed) by host. There is additional and different information in version 4.2, btw.
any reason why it shows on (start -> index activity -> indexing Volume) ? I thought that this view will list all indexed logs.
a related question, from other posts I know that SPLUNK will not re-index rotated log files, why do I see them in this view(start -> index activity -> indexing Volume) as a separate indexed logs?