Phantom sourcetypes being reported against license...

Cuyose · ‎05-22-2014

In my license usage reports its showing a couple sourcetypes that are taking a lot of indexing volume, however they actual exist NOWHERE.

Where is splunk counting these phantom events and how can I find out where they are coming from as searching by them is not working.

sourctypes being reported are weblogic_stdout, and app I do not have any sourcetypes configured for these and doing a top sourcetype neve shows these even listed in any index.

yannK · ‎05-27-2014

Maybe the events are not in your usual indexes :

look for :
index=* OR index=_* sourcetype=*weblogic_stdout*

and check in your license logs for the source/index/host

index=_internal source=*license_usage.log* st=weblogic_stdout | stats count by idx s h st

Cuyose · ‎05-27-2014

It appears this is a source type applied to the internal index when it reports license usage.
index=* OR index=* sourcetype=weblogic_stdout returns nothing, but your other query returns this for events up to the minute.
05-27-2014 18:40:08.405 +0000 INFO LicenseUsage - type=Usage s="{monitored input}app.log" st=weblogic_stdout h="HOST" o="" i="6416B9E4-AAE0-4A70-A1FE-1233DE1B42E6" pool="auto_generated_pool_enterprise" b=3618 poolsz=2147483648,
but thats the only source returning, and its source type is not web logic when I search for that source.

yannK · ‎05-27-2014

have you identified the index where they are located ?

martin_mueller · ‎05-22-2014

Run this over all time from a user able to view all indexes:

| metadata type=sourcetypes index=*

Phantom sourcetypes being reported against license volume

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!