Installation

Why are our Splunk _internal logs consuming license?

New Member

Hi Team,

I need help on below scenario:

We have master-slave architecture in Splunk: 1 master indexer and 3 slave indexers.
We have 5 GB of license.
From a few days, it is noticed that Splunk _internal logs (splunkd.log,metrics.log,mongod.logs) are consuming the license.
But according to the answers available here, Splunk should not consider the _internal data in license usage.
Please find below links for the same:

https://answers.splunk.com/answers/302907/does-the-indexing-of-splunk-internal-logs-such-as.html​

Need some help to fix the above issue.

Thanks & Regards,
kalyani Landge

Labels (1)
0 Karma

Super Champion

may we know, how do you say that _internal logs are consuming the license? i

when you run this, do you get "_internal" is listed as well?

    index=_internal source=*license_usage.log* type=Usage 
    | timechart span=1d sum(b) AS volume_b by idx
0 Karma

New Member

I can say this because when i searched for the data using all the index created by me for all the HF , It is showing no results found.
But when i am searching for the same HF using index=_internal it is giving more number of events which is in lakhs.
Am i thinking in a wrong direction?

0 Karma

Super Champion

index=_internal contains all info about the splunk servers, including the license info. but, these events will have a field called "idx" (the name of the index).

_internal indexes can not consume license.
and also, the summary indexes dont consume license.

can you please update us your search query..

0 Karma

New Member

Please find the below query :

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse | addcoltotals

There is no other index data on the hosts except _internal , still it is giving 5 MB,6 MB data some 500 hosts .There are 1000 hosts and we have 5 GB license only.
what other possible things should I check ?

0 Karma

Splunk Employee
Splunk Employee

Splunk internal sourcetypes will not count against license usage as contained in "_index". However, if you try and add data sources and put them in _internal, those will count against the license. Have you added in data sources and put them in _internal?

0 Karma

New Member

I am not adding any data sources in _internal.
And I am not getting any data in the indexes created by me still license in consumed, that is the reason I am considering that _internal data in consuming license.
Is my understanding correct or not?
Am I using the wrong query to check license usage.

0 Karma

Ultra Champion

Hi kalyani,

Maybe you can run the query from How to get the License usage by host - (with a license master-slave setup)

It's -

index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f

Just to ensure that we are on the same page ; -)

0 Karma

New Member

Hi Drillic ,

Thank you for the query and it is showing the data indexed on each slave.
But my question is why _internal logs are considering in license.
Is there any settings by which we can define which all logs should be considered in license.

Please suggest something.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!