Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I see why our license usage went up?

ichesla1111
Path Finder
‎12-15-2022 08:46 AM

Hello!

Last week (12/8/2022) my license usage went through the roof, for one source type that used 24 GB. On the other hand, when looking at the sourcetype, there were no events pulled into Splunk that day (no events since 9/16). What is the cause of this issue?? How can I see why our license usage went up??

Also
-->events pulled in that day (12/8) were same number of events we get pulled in on an average day YET our license usage was at 24.

ichesla1111_0-1671122737477.png

Thank you.

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2022 10:00 AM

It's not possible to consume license with no events so you should view those results with suspicion.

Bytes should be converted to GB *after* they have been summed.  Otherwise, you may be adding numbers that have been rounded to zero.

index=_internal source=*license_usage.log 
| stats count as events, sum(b) as bytes by st
| eval GB = round(bytes/1024/1024/1024, 3)
| table st events GB

To find the cause of the error, we need to run more searches to try to isolate the problem.  This search should identify the host sending the excess events. (Change "foo" to the name of the index in which the secret sourcetype is stored.)

| tstats count where sourcetype=<<secret sourcetype>> index=foo by host

Once you've identified the problem host, contact the owner/admin of that system to find out what changed right before the sudden spike in ingest.

This query can help spot the problem source.

| tstats count where sourcetype=<<secret sourcetype>> index=foo host=bar by source

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ichesla1111
Path Finder
‎12-15-2022 11:46 AM

Thank you for getting back to me! When trying the searches you shared, it will not let me see data before 12/10 even when the search time frame is set to Month-Date. I need to see the data for 12/08 so I set the search time from the beginning to the end of the day of 12/08, yet it returns no results found. How can I get the search to show me data from 12/08?? Thank you.

tempsnip.png

ichesla1111_0-1671132773443.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2022 01:44 PM

It looks like your internal index is configured to save less than the default 30 days of events.  If that's the case then the data most likely is gone for good.

If your company archives the data then you may be able to restore it.  You would need to identify the buckets containing the events for the day of interest, load them into the appropriate "thawed" directory and rebuild the _internal index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top