Hello community.
We have a cluster architecture with 5 indexes. We have detected high license consumption, we are trying to identify the sources that generate it. I am using the following search to find out which Windows index host consumes the most license:
index=_internal type="Usage" idx=wineventlog
| eval MB=round(b/1024/1024, 2)
| stats sum(MB) as "Consumo de Licencia (MB)" by h
| rename h as "Host"
| sort -"Consumo de Licencia (MB)"
With this search I can see the hosts and the consumption in megabytes, but in the h field, there are no values or hosts, which I cannot identify and I need to know which are those hosts, since the sum of all of them gives me a high license consumption. What could be the cause of that?
this is the events from uknowns_host:
I cannot identify what they are, if they are a specific host, if it is a Splunk component, or something that is causing this license increase.
Regards