Security

Splunk License Usage showing everything by host

mmletzko
Path Finder

I have 2 Splunk systems - Prod and QA. Both are running the same version, have the same data before forwarded to them, etc. When I run the Splunk License Usage in Prod, it works fine - I've even added some for 7 and 30 day periods.

But, when I use the license app for QA, every applet is showing the results based on hosts, not source or sourcetype. If I manually run the query for a particular applet in the search screen, it shows hosts across the top, not sourcetype. But, if I look at my main Splunk screen, the sourcetypes are there and seems to be working correctly.

If I execute the query in the search app, I get the same thing - column headings with hosts instead of sourcetypes.

index="_internal" source="/*/metrics.log" per_sourcetype_thruput | timechart sum(kb) by series

What would cause this?

Thanks!

mmletzko
Path Finder

Thanks for the reply Simeon. I figured out the problem. Somehow my inputs.conf file got poplulated with a bunch of things that shouldn't have been in there, and missing what should have been in there. Once I got that fixed, the licensing information was OK.

0 Karma

Simeon
Splunk Employee
Splunk Employee

The search query you have shown is specific to sourcetype thruput. Unless Splunk is using the host value as the sourcetype, it might simply be a charting label issue. If you want host specific statistics, you can run this search:

index="_internal" source="/*/metrics.log" per_host_thruput | timechart sum(kb) by series

Note that any of the metrics.log per_*_thruput entries are limited to the top ten series. If you want to increase this value, you can edit the limits.conf file for the number of values used in the metrics.log file.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...