- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: License usage data missing from splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
License usage data missing from splunk
License usage data is missing from splunk.
index=_internal source=license_usage.log
Once the master is restarted the data starts indexing for this source and will index the data for few hours and then again it will stop.
Can someone please assist?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if your license master is indexing his _internal-data locally (which is not the best practice approach) it could happen that your instance stops indexing after reaching a minimum of 5GB disk space on your partition. (splunk-default).
Another option could be, that my source value for the usage.log looks like this
source=/opt/splunk/var/log/splunk/license_usage.log
Your query should be looking like this source=*license_usage.log
Additionally there could be a problem with Splunk writting the logfiles, but this could only be determined if there are any warnings or errors under splunkd.log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to prevent the index from stopping to index after reaching a min of 5GB?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stop using your license master as an indexer!!
Like pyro_wood advised, you should forward your License Master Logs (and any other Splunk instance that isn't an indexer) to your indexers!!
You can do this by going to settings > Forwarding & Receiving > Configuring Forwarding, or by using outputs.conf
https://docs.splunk.com/Documentation/Forwarder/6.6.0/Forwarder/Configureforwardingwithoutputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very broad question, so any other info you can provide might help resolve faster
try and search:
index=_internal source=*license_usage.log*
you will notice you need the wild card as this logs rotates and naming changes to:
license_usage.log.1
license_usage.log.2
.
.
.
license_usage.log.n
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This did not help, tried it.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
