I would like to ask how can I 'fake' or create input of fields with values for splunk's
license_audit.log to consume. which source type to put to? Is there a tool to create such sample logs?
Has anyone done this act before?
Yeah, I feel like you have an idea to test something but really what you want to do is maybe run a data generator which outputs the same format data into another log?
I am trying to build dashboard offline to count license usage. I can't bring the work in. I can only build it via remotely. The client isn't aware of what he would like to do with splunk other than checking out on the $$ it costs. I just want to be able to input data into this file in Splunk's convention and sourcetypes so i can build dashboards off it and then the user just have to copy and paste my Customized app for him to use. No need to worry about it not being able to work in a new setup if the 1st server fails.
The answer is yes, why not.
You can add you own lines at the end of the file, and they will be indexed to _internal.
However be aware that this is not the way splunk calculates the license volume, those logs are a report only. But it can be enough for your dashboards tests
Also if you want to be close to the truth, do not forgot to add the 2 types of events (details of volume all over the day, and the daily sum per pool.)
Have you looked at the License Report in the Deployment Monitor app? Maybe that's what you need in a neat pre-built package.
martin I can't get internet access on that Linux VM box i'm using... Frustrating... I needed to vary from the standard dashboards that i am creating because they are in time frames longer than prescribed.
You can still download the App package onto your local machine, and install from file through the Splunk web interface.
As for varying the time frames, if the standard multiple-week-display isn't enough you could take their search and modify the time range/bucketing to suit your needs.