Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does my search for 14 Day License usage only s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's my search:
index=_internal source=*license_usage.log* type=Usage (idx="main") | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval gb=round(bytes/1024/1024/1024,3) | fields - bytes| timechart sum(gb) by idx limit=20
Output looks like this below. Not sure why it's happening. I thought it was because I only had 3 days worth of log files, but the meta data should be stored in the _internal index right?
main
2016-08-09
2016-08-10
2016-08-11
2016-08-12
2016-08-13
2016-08-14
2016-08-15
2016-08-16
2016-08-17
2016-08-18
2016-08-19
2016-08-20
2016-08-21 0.002
2016-08-22 0.046
2016-08-23 0.032
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source=license_usage.log////
The correct source is the full path of that license_usage.log file. To correct that, you can add a * before.
please try
by sourcetype -
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
by indexer -
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK for some reason the MN where the app is running is not populating the _internal for more than ~3 days.
If i run the search on the SH i get what i expect - the last 14 days of usage
MN is the Master License
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Great to know that SH reports 14 day license usage.
if the issue was resolved, could you please accept this as the answer, thanks.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
