Splunk Search

Why does my search for 14 Day License usage only seem to show a rolling 3 days worth of log files?

Esky73
Builder

Here's my search:

index=_internal  source=*license_usage.log* type=Usage (idx="main") | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval gb=round(bytes/1024/1024/1024,3) | fields - bytes| timechart sum(gb) by idx limit=20

Output looks like this below. Not sure why it's happening. I thought it was because I only had 3 days worth of log files, but the meta data should be stored in the _internal index right?

main

2016-08-09

2016-08-10

2016-08-11

2016-08-12

2016-08-13

2016-08-14

2016-08-15

2016-08-16

2016-08-17

2016-08-18

2016-08-19

2016-08-20

2016-08-21 0.002
2016-08-22 0.046
2016-08-23 0.032

0 Karma
1 Solution

Esky73
Builder

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

View solution in original post

0 Karma

Esky73
Builder

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma

inventsekar
Super Champion

source=license_usage.log////
The correct source is the full path of that license_usage.log file. To correct that, you can add a * before.

please try

by sourcetype -

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false

by indexer -

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false 
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

Esky73
Builder

OK for some reason the MN where the app is running is not populating the _internal for more than ~3 days.

If i run the search on the SH i get what i expect - the last 14 days of usage

MN is the Master License

0 Karma

inventsekar
Super Champion

Hi, Great to know that SH reports 14 day license usage.
if the issue was resolved, could you please accept this as the answer, thanks.

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

Esky73
Builder

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...