Splunk Search

Query - SPlunk _internal Index

rupeshn
Explorer

Hi,

I was trying to get amount of data getting indexed in particular index per day and analyze it as a trend. I used below Query:

index=_internal source=license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year.

But I can see that i'm getting only below indexes in my result.

default.
mcafee
msad
network
perfmon
veeammon
wineventlog
wireless
zscaler

But when i run a search to get all indexes i.e index=* | dedup index | table index. I got 32 indexes in my results.

I'm running this search on test Environment which acts as SH+DS+Indexer and reporting to another instance for license(License master).

And can we search licensing on slave nodes by default or do we need to enable it explicitly?

Could you please and let me know what is the issue here.

Thank You!

Tags (1)
0 Karma

dvg06
Path Finder

hi @rupeshn

Internal indexes and summary indexes do not count against licensing hence are not captured in license logs.
I ran this in my test environment and can confirm that I dont see any of internal indexes or summary indexes.

Can you check if those missing indexes are summary indexes/internal indexes?

0 Karma

rupeshn
Explorer

Hi @dvg06,

I can confirm that those are not summary/internal indexes.

Just checked license_usage.log file in Test Environment and found the following line:

11-28-2019 11:18:33.645 +0530 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://splunkl****:9089 for usage breakdown

?

0 Karma

rupeshn
Explorer

Seems License master is not forwarding its logs to Indexer(Test Environment).

0 Karma

rupeshn
Explorer

We don't have privilege to forward the logs of license master to indexer(Test Environment) due to other country Rules and Regulations. Is there any other way to get total amount of data indexed per day?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...