4

I am evaluating 4.1 under the free license and have 2 days of data, and am trying to get a feel for the indexing volume for estimating license needs.

Manager>>License shows 318MB for Peak Usage but the Splunk License Usage app always shows "No results found" for all seven sections.

I'm trying to get far more granular indexing info, does the usage app not work with a free license? Is there something additional I need to install or configure?

flag

2 Answers

3

I was actually having this same issue, but I just found the solution today :-)

Go to Manager>Data Inputs>Files & Directories, and make sure that the $SPLUNK_HOME/var/log/splunk directory is enabled. For some reason it was disabled for me by default, and thus there was nothing posting to _internal. After enabling it, the license usage data started to be populated.

link|flag
Awesome, that was exactly it. Now I have data in the License Usage app for the first time. This makes it drastically easier to evaluate Splunk for larger deployments. Thanks very much! – mauiguru Jul 15 at 8:35
1

I just looked into the License Usage app. It's a quite nice application, built by a customer. I'm going to write him a thanks and kudos.

I suspect you're on windows? The app seems to look in the _internal index for data sources by path, expecting that they will contain forward slashes, eg source="/*/metrics.log".

You can override these searches in etc/apps/splunk_license_usage/local/savedsearches.conf, eg:

[kBs Indexed in Past 24 Hours by Host]
search = index="_internal" source="*metrics.log" per_host_thruput | timechart sum(kb) by series

I'll send the author a note.

link|flag
No, I am on OpenSuse 11.2 running a single Splunk instance and am not using Splunk on any windows machines at all. My data sources are the local host and a few remote syslogs feeding to directly Splunk on port 514. Splunk itself seems to be working well, I'm just looking for details to determine the data size of various sources so that I can make intelligent choices about cost/benefit for specific event types. Other posts I've read here imply that this app does exactly that, but so far it hasn't returned any info at all. – mauiguru Apr 14 at 2:36
btw, should that search return anything in Splunk itself? It returns "No results found" when I use it from the search bar. – mauiguru Apr 14 at 2:39
This sounds like you have splunk configured as a light forwarder perhaps for some reason. The question essentially beocomes, where is your index=_internal data? Seems kind of support-y, since I can't really guess the answer from here. – jrodman Apr 14 at 5:52
according to manager>>indexes it's located at /opt/splunk/var/lib/splunk/_internaldb/db However, it is size 0 with 0 events. Is there something that needs to be configured or enabled to populate this index? – mauiguru Apr 16 at 11:30
Probably your instance is set up to forward all its data somewhere else. Splunk Answers is a mechanism for all Splunkers (employees, customers, partners, etc) to get information on best practices, howtos, and information on how splunk parts work. It's not really a troubleshooting channel, and works poorly at this. Open a ticket at splunk.com/support – jrodman Apr 16 at 19:06
show 2 more comments

Your Answer

Get an OpenID
or

Not the answer you're looking for? Browse other questions tagged or ask your own question.