Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk License Usage showing everything by host

mmletzko
Path Finder
‎10-22-2010 01:05 PM

I have 2 Splunk systems - Prod and QA. Both are running the same version, have the same data before forwarded to them, etc. When I run the Splunk License Usage in Prod, it works fine - I've even added some for 7 and 30 day periods.

But, when I use the license app for QA, every applet is showing the results based on hosts, not source or sourcetype. If I manually run the query for a particular applet in the search screen, it shows hosts across the top, not sourcetype. But, if I look at my main Splunk screen, the sourcetypes are there and seems to be working correctly.

If I execute the query in the search app, I get the same thing - column headings with hosts instead of sourcetypes.

index="_internal" source="/*/metrics.log" per_sourcetype_thruput | timechart sum(kb) by series

What would cause this?

Thanks!

Reply

mmletzko
Path Finder
‎11-01-2010 03:16 PM

Thanks for the reply Simeon. I figured out the problem. Somehow my inputs.conf file got poplulated with a bunch of things that shouldn't have been in there, and missing what should have been in there. Once I got that fixed, the licensing information was OK.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎10-22-2010 05:07 PM

The search query you have shown is specific to sourcetype thruput. Unless Splunk is using the host value as the sourcetype, it might simply be a charting label issue. If you want host specific statistics, you can run this search:

index="_internal" source="/*/metrics.log" per_host_thruput | timechart sum(kb) by series

Note that any of the metrics.log per_*_thruput entries are limited to the top ten series. If you want to increase this value, you can edit the limits.conf file for the number of values used in the metrics.log file.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...