Splunk License Usage showing everything by host

mmletzko · ‎10-22-2010

I have 2 Splunk systems - Prod and QA. Both are running the same version, have the same data before forwarded to them, etc. When I run the Splunk License Usage in Prod, it works fine - I've even added some for 7 and 30 day periods.

But, when I use the license app for QA, every applet is showing the results based on hosts, not source or sourcetype. If I manually run the query for a particular applet in the search screen, it shows hosts across the top, not sourcetype. But, if I look at my main Splunk screen, the sourcetypes are there and seems to be working correctly.

If I execute the query in the search app, I get the same thing - column headings with hosts instead of sourcetypes.

index="_internal" source="/*/metrics.log" per_sourcetype_thruput | timechart sum(kb) by series

What would cause this?

Thanks!

mmletzko · ‎11-01-2010

Thanks for the reply Simeon. I figured out the problem. Somehow my inputs.conf file got poplulated with a bunch of things that shouldn't have been in there, and missing what should have been in there. Once I got that fixed, the licensing information was OK.

Simeon · ‎10-22-2010

The search query you have shown is specific to sourcetype thruput. Unless Splunk is using the host value as the sourcetype, it might simply be a charting label issue. If you want host specific statistics, you can run this search:

index="_internal" source="/*/metrics.log" per_host_thruput | timechart sum(kb) by series

Note that any of the metrics.log per_*_thruput entries are limited to the top ten series. If you want to increase this value, you can edit the limits.conf file for the number of values used in the metrics.log file.

Splunk License Usage showing everything by host

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk