I was trying to get amount of data getting indexed in particular index per day and analyze it as a trend. I used below Query:
index=_internal source=license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year.
But I can see that i'm getting only below indexes in my result.
But when i run a search to get all indexes i.e index=* | dedup index | table index. I got 32 indexes in my results.
I'm running this search on test Environment which acts as SH+DS+Indexer and reporting to another instance for license(License master).
And can we search licensing on slave nodes by default or do we need to enable it explicitly?
Could you please and let me know what is the issue here.
Internal indexes and summary indexes do not count against licensing hence are not captured in license logs.
I ran this in my test environment and can confirm that I dont see any of internal indexes or summary indexes.
Can you check if those missing indexes are summary indexes/internal indexes?
I can confirm that those are not summary/internal indexes.
Just checked license_usage.log file in Test Environment and found the following line:
11-28-2019 11:18:33.645 +0530 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://splunkl****:9089 for usage breakdown
We don't have privilege to forward the logs of license master to indexer(Test Environment) due to other country Rules and Regulations. Is there any other way to get total amount of data indexed per day?