Splunk_TA_nix is ingesting config_file and our license is being used for it , so I should be able to find those events somewhere, but I cannot. Can anyone explain the results in this image?
I've been seeing the same thing with the Splunk_TA_nix. Did you ever figure it out?
Not really. I believe I disabled the monitor for /etc just to make it stop.
Hi lycollicott,
you should use the license usage report [Settings -- License -- License Usage -- Last 30 days] divided by sourcetype to verify what you indexed in your sourcetypes.
Bye.
Giuseppe
That is how I already identified the problem.
config_file is a sourcetype that you can find in your license usage report?
because in Splunk_TA_nix there isn't this sourcetype so I don't know where you call it.
Bye.
Giuseppe
I believe it is happening here:
[~/etc/apps/Splunk_TA_nix/default] $ grep "config_file" *
grep: data: Is a directory
eventgen.conf:sourcetype = config_file
props.conf:sourcetype = config_file
props.conf:[config_file]
props.conf:TRANSFORMS-fix_source_for_config_file = fix_source_for_config_file
transforms.conf:[fix_source_for_config_file]
[~/etc/apps/Splunk_TA_nix/default] $
The license usage record shows timestamp of 10:31 AM and you're searching for different time range. I would suggest to run your search (also instead of index=*
use index=os)
for the timerange which include the time shown in license_usage.log.
LOL, not the best screenshot was it? I loaded a more consistent one.
This has been going on for weeks and there is never anything put in os.
Now, could you verify if you've access to index=os
, just to be sure? (check in Role/user setting or run the rest command | rest /services/authentication/users/<<yourUserName>>
)
I do have access.
Strange. So I'm guessing you've tried to run your search with a very wide time range as the data could be historical? Also, are you running this search from appropriate SH which has all the indexers as peers? can you see data for other sourcetypes in index=os?
Also, in your license usage search, the highlighted event has h="", do you get other records with a non-empty h value?
Searching for all time returns nothing for config_file, but I can see other sourcetypes.
Yes, there are valid h values for about 96% of the results in that search.