There is no results found when i use this dashboard in splunk 6.0 but the first one (today) is working.
How can i fix that ?
Thanks you.
A lack of results in the panels of the "Last 30 days" panel of the License Usage Report View indicates that the License Master instance on which this page is viewed is unable to find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log
file when searching.
This typically has one of two causes:
$SPLUNK_HOME/var/log/splunk
directory. This can happen if the the [monitor://$SPLUNK_HOME/var/log/splunk]
default data input is disabled for some reason.Running either of your cmds you suggest above fail for me with:
Error in 'foreach' command: arguments must contain at least one field specifier
Is there a typo or part of cmd left off your post above?
I am running splunk v6.4.1
I've been looking at this issue again today and I think Licence master isn't forwarding data to the indexers. How did I come to this conclusion? If I run this command for "Previous 30 days" licence history I get nothing and this is the built-in command:
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach
However if I modify it by adding splunk_server=local then it works and gives me data for last 30 days.
index=_internal splunk_server=local source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach
I'm assuming when I go to Previous 30 days tab, it searches the index=_internal on indexers (we've got 3 right now) but it doesn't find anything specific to licencing because its not forwarding anything to those indexers? If that's the case how could I forward its internal logs to the indexers. As per the above answer its a best practice solution.
Thanks for all your help so far!
Happy New Year everyone.
I hope someone would be able to provide me an answer.
I was having a similar issue but I think I figured it out. So, my setup was a license server/DMC server. My last 30 days license reports weren't working. I did a bunch of digging and found your notes as well. It was working in a similar setup in non-prod. By chance I looked at my distsearch.conf and noticed that my DMC/license server was categorized as an indexer (it was not setup to forward the data to the other indexers) while in prod that was not the case.
I went into the DMC roles in prod and made my DMC/License server also have the indexer role and my reports started working again.
it was because the forwarder was on 5.4 and the main splunk on 6.0
A lack of results in the panels of the "Last 30 days" panel of the License Usage Report View indicates that the License Master instance on which this page is viewed is unable to find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log
file when searching.
This typically has one of two causes:
$SPLUNK_HOME/var/log/splunk
directory. This can happen if the the [monitor://$SPLUNK_HOME/var/log/splunk]
default data input is disabled for some reason.Try to run:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
...or use the S.o.S Configuration File Viewer to check your effective inputs.conf settings.
This is a great possible answer, but how do you check if the default data input is disabled?