Phantom sourcetypes being reported against license...

Cuyose · ‎05-22-2014

In my license usage reports its showing a couple sourcetypes that are taking a lot of indexing volume, however they actual exist NOWHERE.

Where is splunk counting these phantom events and how can I find out where they are coming from as searching by them is not working.

sourctypes being reported are weblogic_stdout, and app I do not have any sourcetypes configured for these and doing a top sourcetype neve shows these even listed in any index.

yannK · ‎05-27-2014

Maybe the events are not in your usual indexes :

look for :
index=* OR index=_* sourcetype=*weblogic_stdout*

and check in your license logs for the source/index/host

index=_internal source=*license_usage.log* st=weblogic_stdout | stats count by idx s h st

Cuyose · ‎05-27-2014

It appears this is a source type applied to the internal index when it reports license usage.
index=* OR index=* sourcetype=weblogic_stdout returns nothing, but your other query returns this for events up to the minute.
05-27-2014 18:40:08.405 +0000 INFO LicenseUsage - type=Usage s="{monitored input}app.log" st=weblogic_stdout h="HOST" o="" i="6416B9E4-AAE0-4A70-A1FE-1233DE1B42E6" pool="auto_generated_pool_enterprise" b=3618 poolsz=2147483648,
but thats the only source returning, and its source type is not web logic when I search for that source.

yannK · ‎05-27-2014

have you identified the index where they are located ?

martin_mueller · ‎05-22-2014

Run this over all time from a user able to view all indexes:

| metadata type=sourcetypes index=*

Phantom sourcetypes being reported against license volume

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!