Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my search for 14 Day License usage only seem to show a rolling 3 days worth of log files?

Esky73
Builder
‎08-22-2016 11:00 PM

Here's my search:

index=_internal  source=*license_usage.log* type=Usage (idx="main") | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval gb=round(bytes/1024/1024/1024,3) | fields - bytes| timechart sum(gb) by idx limit=20

Output looks like this below. Not sure why it's happening. I thought it was because I only had 3 days worth of log files, but the meta data should be stored in the _internal index right?

main

2016-08-09

2016-08-10

2016-08-11

2016-08-12

2016-08-13

2016-08-14

2016-08-15

2016-08-16

2016-08-17

2016-08-18

2016-08-19

2016-08-20

2016-08-21 0.002
2016-08-22 0.046
2016-08-23 0.032

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2016 09:03 AM

source=license_usage.log////
The correct source is the full path of that license_usage.log file. To correct that, you can add a * before.

please try

by sourcetype - 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false

by indexer - 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎08-23-2016 09:24 PM

OK for some reason the MN where the app is running is not populating the _internal for more than ~3 days.

If i run the search on the SH i get what i expect - the last 14 days of usage

MN is the Master License

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-24-2016 02:19 AM

Hi, Great to know that SH reports 14 day license usage.
if the issue was resolved, could you please accept this as the answer, thanks.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎08-29-2016 07:07 PM

there seems to be a bug in our env (6.2.3) where none of the DMC data was being populated properly. The workaround was to go into the DMC on the master node > select setup > and apply which seemed to restore all the dashboards.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...