In my license usage reports its showing a couple sourcetypes that are taking a lot of indexing volume, however they actual exist NOWHERE.
Where is splunk counting these phantom events and how can I find out where they are coming from as searching by them is not working.
sourctypes being reported are weblogic_stdout, and app I do not have any sourcetypes configured for these and doing a top sourcetype neve shows these even listed in any index.
Maybe the events are not in your usual indexes :
look for :
index=* OR index=_* sourcetype=*weblogic_stdout*
and check in your license logs for the source/index/host
index=_internal source=*license_usage.log* st=weblogic_stdout | stats count by idx s h st
It appears this is a source type applied to the internal index when it reports license usage.
index=* OR index=* sourcetype=weblogic_stdout returns nothing, but your other query returns this for events up to the minute.
05-27-2014 18:40:08.405 +0000 INFO LicenseUsage - type=Usage s="{monitored input}app.log" st=weblogic_stdout h="HOST" o="" i="6416B9E4-AAE0-4A70-A1FE-1233DE1B42E6" pool="auto_generated_pool_enterprise" b=3618 poolsz=2147483648,
but thats the only source returning, and its source type is not web logic when I search for that source.
have you identified the index where they are located ?
Run this over all time from a user able to view all indexes:
| metadata type=sourcetypes index=*