License usage over 7days

mvagionakis · ‎03-19-2018

Hello everyone,

since a while, I cannot see my license usage for more than 7 days.
At the beginning I thought that it was a bad setting on my _internal index that could drop the data over the 7 days period but I was mistaken.

I saw that beyond 7 days, there is no source like in my _internal index

license_usage.log

I double verified all my *.conf files but no parameter that could delete data.

My infrastructure consists of:

1 SH
4 Idxs
1 Master

Do you have any idea that could explain this phenomenon?

thank you in advance
Michael

ps: master and SH forwarding data to the indexers

p_gurav · ‎03-19-2018

Can you try searching on indexers that license server _internal logs are coming or not?

mvagionakis · ‎03-19-2018

Hello p_gurav,

Already done it, I have logs for exactly 7 days...when I say exactly, it is very precise, 7d0h0m0s 😞

ansif · ‎07-20-2020

@mvagionakis Did you find the the root cause?

tiagofbmm · ‎03-19-2018

Could you have your license_usage.log checked for data longer than that?

Do you have the most recent data?

Could someone have deleted older data than those 7 days of usage? Do you always have those 7days and no more than that at all times?

mvagionakis · ‎03-19-2018

hello tiagofbmm,

As I said, I have not data for license_usage.log longer than 7 days exactly.
The most recent, I have them.

None else has access , I'm the only admin.

tiagofbmm · ‎03-19-2018

Use brook to figure out what retention period you are having on this one. It's too precise so there must be a default retention period for the internal indexes somewhere in you environment.

$SPLUNK_HOME/bin/btool indexes list --debug and check for the internal.

License usage over 7days

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?