Hi Team,
I need help on below scenario:
We have master-slave architecture in Splunk: 1 master indexer and 3 slave indexers.
We have 5 GB of license.
From a few days, it is noticed that Splunk _internal logs (splunkd.log,metrics.log,mongod.logs) are consuming the license.
But according to the answers available here, Splunk should not consider the _internal data in license usage.
Please find below links for the same:
https://answers.splunk.com/answers/302907/does-the-indexing-of-splunk-internal-logs-such-as.html
Need some help to fix the above issue.
Thanks & Regards,
kalyani Landge
may we know, how do you say that _internal logs are consuming the license? i
when you run this, do you get "_internal" is listed as well?
index=_internal source=*license_usage.log* type=Usage | timechart span=1d sum(b) AS volume_b by idx
I can say this because when i searched for the data using all the index created by me for all the HF , It is showing no results found.
But when i am searching for the same HF using index=_internal it is giving more number of events which is in lakhs.
Am i thinking in a wrong direction?
index=_internal contains all info about the splunk servers, including the license info. but, these events will have a field called "idx" (the name of the index).
_internal indexes can not consume license.
and also, the summary indexes dont consume license.
can you please update us your search query..
Please find the below query :
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse | addcoltotals
There is no other index data on the hosts except _internal , still it is giving 5 MB,6 MB data some 500 hosts .There are 1000 hosts and we have 5 GB license only.
what other possible things should I check ?
Splunk internal sourcetypes will not count against license usage as contained in "_index". However, if you try and add data sources and put them in _internal, those will count against the license. Have you added in data sources and put them in _internal?
I am not adding any data sources in _internal.
And I am not getting any data in the indexes created by me still license in consumed, that is the reason I am considering that _internal data in consuming license.
Is my understanding correct or not?
Am I using the wrong query to check license usage.
Hi kalyani,
Maybe you can run the query from How to get the License usage by host - (with a license master-slave setup)
It's -
index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f
Just to ensure that we are on the same page ; -)
Hi Drillic ,
Thank you for the query and it is showing the data indexed on each slave.
But my question is why _internal logs are considering in license.
Is there any settings by which we can define which all logs should be considered in license.
Please suggest something.