Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my search for 14 Day License usage only seem to show a rolling 3 days worth of log files?

Esky73
Builder
‎08-22-2016 11:00 PM

Here's my search:

index=_internal  source=*license_usage.log* type=Usage (idx="main") | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval gb=round(bytes/1024/1024/1024,3) | fields - bytes| timechart sum(gb) by idx limit=20

Output looks like this below. Not sure why it's happening. I thought it was because I only had 3 days worth of log files, but the meta data should be stored in the _internal index right?

main

2016-08-09

2016-08-10

2016-08-11

2016-08-12

2016-08-13

2016-08-14

2016-08-15

2016-08-16

2016-08-17

2016-08-18

2016-08-19

2016-08-20

2016-08-21 0.002
2016-08-22 0.046
2016-08-23 0.032

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2016 09:03 AM

source=license_usage.log////
The correct source is the full path of that license_usage.log file. To correct that, you can add a * before.

please try

by sourcetype - 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false

by indexer - 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎08-23-2016 09:24 PM

OK for some reason the MN where the app is running is not populating the _internal for more than ~3 days.

If i run the search on the SH i get what i expect - the last 14 days of usage

MN is the Master License

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-24-2016 02:19 AM

Hi, Great to know that SH reports 14 day license usage.
if the issue was resolved, could you please accept this as the answer, thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...