Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the universal forwarder on the license master server not sending all license_usage.log data to the indexer cluster?

abhayneilam
Contributor
‎09-10-2015 12:10 PM

Hi,

I have a Universal Forwarder installed on the License Master server to send the License_usage.log to the central indexer cluster ( total is 5 ).

but when I am writing the search in the Central Cluster, I found some gaps for some dates: My search is as below :

index=XXX sourcetype=license_usage.log type= RolloverSummary earliest=-30d latest=@d| eval gb=b/1024/1024/1024 | timechart span=1d useother=f limit=20 sum(gb) AS volume_gb by pool |rename _time as Date| eval Date=strftime(Date,"%Y-%m-%d")

Please let me know how do I find the Root Cause for this issue.

0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎09-10-2015 02:02 PM

Question: Do you really have more than 20 license pools?

I tested this on my (fairly large) Splunk deployment (with four license pools) and didn't see any gaps over 30 days.

earliest=-30d latest=@d index=_internal source="*license_usage.log" type="RolloverSummary" 
| timechart span=1d sum(eval(b/1024/1024/1024/1024)) AS volume_tb BY pool
| rename _time AS Date | eval Date = strftime(Date, "%F")

I would remove the UF and let the LM forward its logs to your indexer(s) and see if your results are more complete after a week or so. Perhaps remove the limit=20 and useother=f options from timechart.

Reply

Yorokobi
SplunkTrust
SplunkTrust
‎09-10-2015 01:46 PM

I realize this doesn't answer your question, but your current solution is not considered best practice for forwarding logs from Splunk.

You don't need a separate UF to forward the license manager's logs, it is perfectly capable of doing so on its own.

Create $SPLUNK_HOME/etc/apps/heavyforwarder_outputs/default/outputs.conf:

[tcpout]
defaultGroup = primary_indexers

[tcpout:primary_indexers]
server = server_one:9997, server_two:9997

[indexAndForward]
index = false

Substitute your indexers for server_one, server_two, etc. and restart Splunk.

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...