- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is my license usage showing for indexes that d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my license usage showing for indexes that don't exist ?
I am using the license usage app and i have usage being shown for indexes that arent on the system.
If i click on the index (listed in the license usage app) i'm taken to the following search (below) - what is this telling me ? series is the non-existant index name.
index="_internal" source="*metrics.log" per_index_thruput series=devices
usually if i am receiving events for an index that doesn't exist then it shows in splunk messages.
To resolve this will adding the relevant index (devices) start it populating ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is weird scenario
If you are looking at the license usage per index please run this search
index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | eval host=h | bin _time span=1d | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024) | fields _time, indexname, sourcetypename, host, GB | stats sum(GB) as GB by indexname, sourcetypename, host
Once all the values are populated , search if there are any index=devices populated and let us know so that it helps our community with more insight what actually happening ..
Happy Splunking !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope the index does not show in the output of that search - the others do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are in situation " receiving events for an index that doesn't exist then it shows in splunk messages."
Means you are trying to send the data to unconfigured index , so you need to create the index .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No i do not see those messages - as described in the initial post - i have seen those before and duly created an index
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
