Monitoring Splunk

License usage over 7days

mvagionakis
Path Finder

Hello everyone,

since a while, I cannot see my license usage for more than 7 days.
At the beginning I thought that it was a bad setting on my _internal index that could drop the data over the 7 days period but I was mistaken.

I saw that beyond 7 days, there is no source like in my _internal index

license_usage.log

I double verified all my *.conf files but no parameter that could delete data.

My infrastructure consists of:

1 SH
4 Idxs
1 Master

Do you have any idea that could explain this phenomenon?

thank you in advance
Michael

ps: master and SH forwarding data to the indexers

0 Karma

p_gurav
Champion

Can you try searching on indexers that license server _internal logs are coming or not?

0 Karma

mvagionakis
Path Finder

Hello p_gurav,

Already done it, I have logs for exactly 7 days...when I say exactly, it is very precise, 7d0h0m0s 😞

0 Karma

ansif
Motivator

@mvagionakis Did you find the the root cause?

0 Karma

tiagofbmm
Influencer

Could you have your license_usage.log checked for data longer than that?

Do you have the most recent data?

Could someone have deleted older data than those 7 days of usage? Do you always have those 7days and no more than that at all times?

0 Karma

mvagionakis
Path Finder

hello tiagofbmm,

As I said, I have not data for license_usage.log longer than 7 days exactly.
The most recent, I have them.

None else has access , I'm the only admin.

0 Karma

tiagofbmm
Influencer

Use brook to figure out what retention period you are having on this one. It's too precise so there must be a default retention period for the internal indexes somewhere in you environment.

$SPLUNK_HOME/bin/btool indexes list --debug and check for the internal.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...