Getting Data In

Data stop insert ?

Afik_Office
Loves-to-Learn
Hello, ***this is my first time use of Splunk *** I have install the splunk and setup simple syslog udp on port 11514 it use to work great until last week , then It stop getting any data . I have disable the "service" , and open a simpe python udp server (to see if I'm getting any data) , to see where is the problem(didn't change any setting on the sender dise) in the UDP server - I get the messages . shut down the python server , enable the Splunk - but still get nothing what could it be ? I'm using the free license (and it havn't been more then 30 days - if it's an issue ) Thanks ,
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Afik_Office 

Yes it total combining all inputs, if you do not have any messages as license_warning thats good. If you are able to check _internal logs.

index=_internal source=/opt/splunk/var/log/splunk/license_usage.log st=<replace_with_your_sourcetype>
| stats sum(b) as total_bytes 
| eval MB=(total_bytes/1024)/1024

--

An upvote would be appreciated if it helps!

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Afik_Office 

These are the points to check when you are using free license,

  • The Enterprise Trial license allows you to index 500 MB of data per day. If you exceed that limit you receive a license warning.
  • If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

You might be receiving the data on Splunk and indexing it, if you have violated license you are unable to search it hence you are assuming udp stream has stopped receiving. Refer - About license violations - Splunk Documentation

If you want to test its functionality/dev upgrade to dev license which has no restriction but strictly it can not be used for general purpose commercial use - https://dev.splunk.com/enterprise/dev_license

  • You can check the udp stream indexing status by logging into host where splunk installed navigate to if Linux $SPLUNK_HOME/var/log/splunk/metrics.log and check for group=per_sourcetype_thruput, series="<replace_it_with_your_udp_sourcetype_name_here>" and check are you getting any events with kbps = <no_greater_than_0>

 

 

06-28-2021 09:49:52.996 +1000 INFO  Metrics - group=per_sourcetype_thruput, series="splunkd", kbps=0.4629412718777596, eps=0.516150377573679, kb=14.3505859375, ev=16, avg_age=0.1875, max_age=3

 

 

----

An upvote would be appreciated and accept solution if it helps!

0 Karma

Afik_Office
Loves-to-Learn
Thank you for the answer , I'm sending less then 10MB per day ,my log is around 5 lines of less then 200 chars each 30 seconds. something I thought about : the 500MB is for all the data ? or for each "Data input"? beacuse now I remember that I have 1 more syslog running (on another port) , but there I'm getting the data for day 1 without a problem. is there any where I can see the sizr of the incoming data per day? -- I didn't get any icense warning messaage (mail\dashboard\messages) -- I can I check the udp on windows server 2019 ? Thank you ,
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...