Why is the "Daily License Usage" showing incorrect values?

Path Finder


I recently migrated a Splunk instance from a Windows environment to a Linux environment. Since the migration, dashboards on the "License Usage" page have been displaying usage values up to ten times larger than are actually being indexed. There have been no license violations, so this data can't be correct. What might be causing this?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Hi khagan,

I assume the Splunk instant you migrated is the license master, right? Because if it's a license slave, none of the migration activities matter.

On the license master, please review license_usage.log under SPLUNK_HOME/var/log/ to see what has caused the increased license usage.
You can also use the following searches in Splunk Web to investigate your license consumption issue.

index=_internal component=LicenseUsage* | top type

index=_internal component=Metrics per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

Hope it helps. Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...