Why are our Splunk _internal logs consuming license?

Hi Team,

I need help on below scenario:

We have master-slave architecture in Splunk: 1 master indexer and 3 slave indexers.
We have 5 GB of license.
From a few days, it is noticed that Splunk _internal logs (splunkd.log,metrics.log,mongod.logs) are consuming the license.
But according to the answers available here, Splunk should not consider the _internal data in license usage.
Please find below links for the same:​

Need some help to fix the above issue.

Thanks & Regards,
kalyani Landge

may we know, how do you say that _internal logs are consuming the license? i

when you run this, do you get "_internal" is listed as well?

    index=_internal source=*license_usage.log* type=Usage 
    | timechart span=1d sum(b) AS volume_b by idx
I can say this because when i searched for the data using all the index created by me for all the HF , It is showing no results found.
But when i am searching for the same HF using index=_internal it is giving more number of events which is in lakhs.
Am i thinking in a wrong direction?

index=_internal contains all info about the splunk servers, including the license info. but, these events will have a field called "idx" (the name of the index).

_internal indexes can not consume license.
and also, the summary indexes dont consume license.

can you please update us your search query..

Please find the below query :

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse | addcoltotals

There is no other index data on the hosts except _internal , still it is giving 5 MB,6 MB data some 500 hosts .There are 1000 hosts and we have 5 GB license only.
what other possible things should I check ?

Splunk internal sourcetypes will not count against license usage as contained in "_index". However, if you try and add data sources and put them in _internal, those will count against the license. Have you added in data sources and put them in _internal?

I am not adding any data sources in _internal.
And I am not getting any data in the indexes created by me still license in consumed, that is the reason I am considering that _internal data in consuming license.
Is my understanding correct or not?
Am I using the wrong query to check license usage.

Hi kalyani,

Maybe you can run the query from How to get the License usage by host - (with a license master-slave setup)

It's -

index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f

Just to ensure that we are on the same page ; -)

Hi Drillic ,

Thank you for the query and it is showing the data indexed on each slave.
But my question is why _internal logs are considering in license.
Is there any settings by which we can define which all logs should be considered in license.

Please suggest something.

