Getting Data In

Phantom sourcetypes being reported against license volume

Builder

In my license usage reports its showing a couple sourcetypes that are taking a lot of indexing volume, however they actual exist NOWHERE.

Where is splunk counting these phantom events and how can I find out where they are coming from as searching by them is not working.

sourctypes being reported are weblogic_stdout, and app I do not have any sourcetypes configured for these and doing a top sourcetype neve shows these even listed in any index.

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Maybe the events are not in your usual indexes :

look for :
index=* OR index=_* sourcetype=*weblogic_stdout*

and check in your license logs for the source/index/host

index=_internal source=*license_usage.log* st=weblogic_stdout | stats count by idx s h st

0 Karma

Builder

It appears this is a source type applied to the internal index when it reports license usage.
index=* OR index=
* sourcetype=weblogic_stdout returns nothing, but your other query returns this for events up to the minute.
05-27-2014 18:40:08.405 +0000 INFO LicenseUsage - type=Usage s="{monitored input}app.log" st=weblogicstdout h="HOST" o="" i="6416B9E4-AAE0-4A70-A1FE-1233DE1B42E6" pool="autogeneratedpoolenterprise" b=3618 poolsz=2147483648,
but thats the only source returning, and its source type is not web logic when I search for that source.

0 Karma

Splunk Employee
Splunk Employee

have you identified the index where they are located ?

0 Karma

SplunkTrust
SplunkTrust

Run this over all time from a user able to view all indexes:

| metadata type=sourcetypes index=*
0 Karma