license_usage.log key

rayar · ‎05-05-2020

Hi
I am trying to understand what is the below for in license_usage.log
and how I can find it's configuration

05-06-2020 08:43:02.499 +0300 INFO LicenseUsage - type=Usage s="/data/logs/log_from_DP_Test/int/TEST/log_to_Splunk.csv.20200506084158834" st=dp_log h=DPINT o="" idx="log_from_dp_test" i="85B0888C-36DF-45C7-9365-D754F1D9F343" pool="Integration" b=98919 poolsz=21349007360

PavelP · ‎05-06-2020

Hello @rayar,

s= - source
st= - sourcetype
h= - host
idx= - index
i= - ID of the sending splunk instance
pool= - license pool
b= - amount of bytes this event referenced to
poolsz= - license pool size (your license is 20GB/day license)

I hope it helps

rayar · ‎05-06-2020

thanks a lot for the information
the issue is that I don't have this host and index configured in my system and I am looking for the configuration for it to disable it

PavelP · ‎05-06-2020

Hello @rayar,

the host can be named differently. The ID of the machine stored in $SPLUNK_HOME/etc/instance.cfg

Try to grep all logs for this GUID to find a sending host.

rayar · ‎05-06-2020

[splunk@ilissplmstr01 etc]$ cat instance.cfg
[general]
guid = C7623105-1D08-4451-8FC9-DCCE1F03C748
[splunk@ilissplmstr01 etc]$

the only event I have are

05-06-2020 12:57:34.291 +0300 INFO LicenseUsage - type=Usage s="/data/logs/log_from_DP_Test/int/TEST/log_to_Splunk.csv.20200506125633925" st=dp_log h=DPINT o="" idx="log_from_dp_test" i="85B0888C-36DF-45C7-9365-D754F1D9F343" pool="Integration" b=98785 poolsz=21349007360

index=_* DPINT | stats count by source

/opt/splunk/var/log/splunk/license_usage.log 297539
/opt/splunk/var/log/splunk/remote_searches.log 60
/opt/splunk/var/log/splunk/splunkd_ui_access.log 14
audittrail 11

PavelP · ‎05-06-2020

please try

index=_* 85B0888C-36DF-45C7-9365-D754F1D9F343

rayar · ‎05-06-2020

idx h count
apic_logs APIC 161
broker_iqn_prod illiniib1prod 132
broker_rbm_prod 13
broker_rbm_prod illinadmtprd02 1413
broker_rbm_prod illiniib1prod 1410
connectall_prod 13
connectall_prod illinsplcrpfw 92553
dp_transactionextract 2
dp_transactionextract DP_TransactionExtract 638
lms_monitoring_prod 2
lms_monitoring_prod Broker_PROD_Trace 500
log_from_dp 47
log_from_dp DPEXT1 96231
log_from_dp DPEXT2 81869
log_from_dp DPINT1 108500
log_from_dp DPINT2 104858
log_from_dp_test 33
log_from_dp_test DPEXT1 59423
log_from_dp_test DPEXT2 31230
log_from_dp_test DPINT 86567

rayar · ‎05-06-2020

index=_* 85B0888C-36DF-45C7-9365-D754F1D9F343
| stats count by idx h st
broker_rbm_prod _json 13
connectall_prod json-too_small 13
dp_transactionextract dp_Transaction_SummeryIndexing 2
lms_monitoring_prod LMS_Broker_Log_File 2
log_from_dp dp_log 47
log_from_dp_test dp_log 33
APIC apic_logs _json 159
Broker_PROD_Trace lms_monitoring_prod LMS_Broker_Log_File 500
DPEXT1 log_from_dp dp_log 95499
DPEXT1 log_from_dp_test dp_log 59051
DPEXT2 log_from_dp dp_log 81210
DPEXT2 log_from_dp_test dp_log 31008
DPINT log_from_dp_test dp_log 85831
DPINT1 log_from_dp dp_log 107623
DPINT2 log_from_dp dp_log 103919
DP_TransactionExtract dp_transactionextract dp_Transaction_SummeryIndexing 635
illinadmtprd02 broker_rbm_prod _json 1395
illiniib1prod broker_iqn_prod _json 132
illiniib1prod broker_rbm_prod _json 1393
illinsplcrpfw connectall_prod json-too_small 91953

license_usage.log key

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?