Archive

Splunk License Usage showing everything by host

Path Finder

I have 2 Splunk systems - Prod and QA. Both are running the same version, have the same data before forwarded to them, etc. When I run the Splunk License Usage in Prod, it works fine - I've even added some for 7 and 30 day periods.

But, when I use the license app for QA, every applet is showing the results based on hosts, not source or sourcetype. If I manually run the query for a particular applet in the search screen, it shows hosts across the top, not sourcetype. But, if I look at my main Splunk screen, the sourcetypes are there and seems to be working correctly.

If I execute the query in the search app, I get the same thing - column headings with hosts instead of sourcetypes.

index="_internal" source="/*/metrics.log" per_sourcetype_thruput | timechart sum(kb) by series

What would cause this?

Thanks!

Path Finder

Thanks for the reply Simeon. I figured out the problem. Somehow my inputs.conf file got poplulated with a bunch of things that shouldn't have been in there, and missing what should have been in there. Once I got that fixed, the licensing information was OK.

0 Karma

Splunk Employee
Splunk Employee

The search query you have shown is specific to sourcetype thruput. Unless Splunk is using the host value as the sourcetype, it might simply be a charting label issue. If you want host specific statistics, you can run this search:

index="_internal" source="/*/metrics.log" per_host_thruput | timechart sum(kb) by series

Note that any of the metrics.log per_*_thruput entries are limited to the top ten series. If you want to increase this value, you can edit the limits.conf file for the number of values used in the metrics.log file.

0 Karma