I noticed today that my license audit source is not up to date:
index=_internal source=*license_audit.log
This does not have any data since 09/08/2012... but I have on idea why.
Any ideas for me?
Hi there,
I would take this as good news, as the license_audit.log file is used for tracking license violations (i.e. when you go over the limit).
I think you are looking for license_usage.log, this tracks your general usage.
Please see the following docs for reference...
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself
Regards,
MHibbin
Try including your search query in backticks (e.g. "`").
Which version of Splunk are you using? Have undergone an upgrade... The following provides differences between versions of SPlunk and checking license usage etc.
http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
Bah, that has an asterisk before license_audit.log that the web form has removed on my behalf.
This query:
index=_internal todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | bucket _time span=1d | stats avg(Daily_Indexing_Volume_in_MBs) AS UsageMB first(licenseSize) AS LicenseSize by _time host | eval UsagePercent=UsageMB/(LicenseSize/1024/1024)*100 | eval UsagePercent=round(UsagePercent, 2) | table _time host LicenseSize UsageMB UsagePercent
Which I have used for over a year no longer works.
And no, I'm not over my licensing... and I haven't been.. .but this query always worked.