Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data stop insert ?

Afik_Office
Loves-to-Learn
‎06-27-2021 05:03 AM
Hello, ***this is my first time use of Splunk *** I have install the splunk and setup simple syslog udp on port 11514 it use to work great until last week , then It stop getting any data . I have disable the "service" , and open a simpe python udp server (to see if I'm getting any data) , to see where is the problem(didn't change any setting on the sender dise) in the UDP server - I get the messages . shut down the python server , enable the Splunk - but still get nothing what could it be ? I'm using the free license (and it havn't been more then 30 days - if it's an issue ) Thanks ,
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-27-2021 11:56 PM

Hi @Afik_Office 

Yes it total combining all inputs, if you do not have any messages as license_warning thats good. If you are able to check _internal logs.

index=_internal source=/opt/splunk/var/log/splunk/license_usage.log st=<replace_with_your_sourcetype>
| stats sum(b) as total_bytes 
| eval MB=(total_bytes/1024)/1024

--

An upvote would be appreciated if it helps!

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-27-2021 04:56 PM

Hi @Afik_Office 

These are the points to check when you are using free license,

  • The Enterprise Trial license allows you to index 500 MB of data per day. If you exceed that limit you receive a license warning.
  • If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

You might be receiving the data on Splunk and indexing it, if you have violated license you are unable to search it hence you are assuming udp stream has stopped receiving. Refer - About license violations - Splunk Documentation

If you want to test its functionality/dev upgrade to dev license which has no restriction but strictly it can not be used for general purpose commercial use - https://dev.splunk.com/enterprise/dev_license

  • You can check the udp stream indexing status by logging into host where splunk installed navigate to if Linux $SPLUNK_HOME/var/log/splunk/metrics.log and check for group=per_sourcetype_thruput, series="<replace_it_with_your_udp_sourcetype_name_here>" and check are you getting any events with kbps = <no_greater_than_0>

 

 

06-28-2021 09:49:52.996 +1000 INFO  Metrics - group=per_sourcetype_thruput, series="splunkd", kbps=0.4629412718777596, eps=0.516150377573679, kb=14.3505859375, ev=16, avg_age=0.1875, max_age=3

 

 

----

An upvote would be appreciated and accept solution if it helps!

0 Karma
Reply

Afik_Office
Loves-to-Learn
‎06-27-2021 11:43 PM
Thank you for the answer , I'm sending less then 10MB per day ,my log is around 5 lines of less then 200 chars each 30 seconds. something I thought about : the 500MB is for all the data ? or for each "Data input"? beacuse now I remember that I have 1 more syslog running (on another port) , but there I'm getting the data for day 1 without a problem. is there any where I can see the sizr of the incoming data per day? -- I didn't get any icense warning messaage (mail\dashboard\messages) -- I can I check the udp on windows server 2019 ? Thank you ,
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...