https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242743#M3784 <P>This is spot on. Summarizing: You have bytes (b) broken down by source (s), sourcetype (st), host (h), etc... in the license_usage.log when type=Usage. It's possible that those get collapsed if usage is too intense. So as <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/172708">@martin_mueller</a> points out, there are other data points that can be used OR go to the data itself with an <CODE>eval size = len(_raw)</CODE>.</P> <P>If these numbers add up and the customer is still pushing back, feel free to engage the account team from Splunk for assistance.</P> Tue, 29 Sep 2020 11:54:15 GMT sloshburch 2020-09-29T11:54:15Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242738#M3779 <P>Hi,</P> <P>I have a customer who is challenging the license numbers being reported by Splunk for his hosts. Is there a way to actually count the number of bytes for all of his events over a time period?</P> Wed, 17 Jun 2020 00:20:52 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242738#M3779 a212830 2020-06-17T00:20:52Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242739#M3780 <P>Well you could use Splunk to count it for you, but if you suspect Splunk is reporting it incorrectly then this may not solve your problem.. You will have to go and tally up the file sizes on the servers between a specific time period and sum them up </P> Sat, 19 Nov 2016 21:40:46 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242739#M3780 skoelpin 2016-11-19T21:40:46Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242740#M3781 <P>I'd rather go the route of having Splunk count it, at least initially. How can I do that? </P> Sat, 19 Nov 2016 22:22:26 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242740#M3781 a212830 2016-11-19T22:22:26Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242741#M3782 <P>You can get an approximate count of character length in events by doing average of len(_raw) over a small set of events and then multiply the average length with the total eventcount using |tstats and convert your # of characters into bytes, MB and so on.. again this is clearly an approximation but gives you fair idea</P> Sun, 20 Nov 2016 02:41:45 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242741#M3782 pradeepkumarg 2016-11-20T02:41:45Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242742#M3783 <P>Depending on the amount of data and what parts of Splunk's internal counting you trust or mistrust, there are several approaches.</P> <P>In any case, you're probably comparing against the license usage view, so Settings -&gt; License or something like that on your license master. That's nice visually, but underneath there is anactual log you want to look at: <CODE>index=_internal source=*license_usage* component=LicenseUsage</CODE></P> <P><CODE>type=RolloverSummary</CODE> has daily summaries, that's what is displayed in the 30-day view by default.<BR /> <CODE>type=Usage</CODE> has detailed usage on 30-second intervals iirc, that's displayed in the 30-day view if you split by some of the more specific fields.</P> <P>Assuming the view itself isn't broken and is reporting that log correctly, you'll want to compare other sources of information against that log. You can use short timespans and compare with Usage over that span, or whole days and compare with RolloverSummary, or both.</P> <P>As for other sources of info, here are a few ideas.</P> <OL> <LI><P>brute force<BR /> Pick a suspicious, high-volume set of data like a certain sourcetype or index, and pipe it through <CODE>| eval length = length(_raw) | stats sum(length)</CODE>, then compare that number to the data you get from license usage logging. The search may be unfeasible for larger sets of data, but should be most precise.</P></LI> <LI><P>metrics logging<BR /> In the internal index there's also <CODE>source=*metrics*</CODE> that provides a second source of data. It won't always line up with licensing, but for your larger indexes, sourcetypes, etc. the <CODE>group=per_index_thruput</CODE> or <CODE>group=per_sourcetype_thruput</CODE> should be pretty good data.<BR /> For a twist, forwarders also log metrics... but getting the right metric from the right set of forwarders can be tricky. I'd recommend starting with indexer metrics logs.<BR /> You might ask "but that's splunk counting, I don't trust splunk's counting!" ... well yeah, but assuming the license counter had a bug in your case, the metrics counter might not have that same bug.</P></LI> <LI><P>dbinspect<BR /> This should be the fastest, least-splunk-counter-dependent way... but also the least accurate. When you run <CODE>| dbinspect index=foo</CODE> you get a <CODE>rawSize</CODE> field for each bucket. If you have an index that has never had buckets rolled out and you have license usage log data for the entire life of the index, comparing the total <CODE>rawSize</CODE> should line up with the total license usage for that index.</P></LI> </OL> <P>Finally, make sure you're comparing apples with apples.<BR /> Have you looked at all indexers connected to your license master?<BR /> Have you looked at all data for the to-be-compared time range? There could be data for yesterday coming in today, so it'll be timerange-sorted into yesterday but license-reported into today.</P> Sun, 20 Nov 2016 17:56:35 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242742#M3783 martin_mueller 2016-11-20T17:56:35Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242743#M3784 <P>This is spot on. Summarizing: You have bytes (b) broken down by source (s), sourcetype (st), host (h), etc... in the license_usage.log when type=Usage. It's possible that those get collapsed if usage is too intense. So as <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/172708">@martin_mueller</a> points out, there are other data points that can be used OR go to the data itself with an <CODE>eval size = len(_raw)</CODE>.</P> <P>If these numbers add up and the customer is still pushing back, feel free to engage the account team from Splunk for assistance.</P> Tue, 29 Sep 2020 11:54:15 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242743#M3784 sloshburch 2020-09-29T11:54:15Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242744#M3785 <P>Cross referencing similar post: <A href="https://answers.splunk.com/answers/476227/help-with-license-validation.html">https://answers.splunk.com/answers/476227/help-with-license-validation.html</A></P> Mon, 21 Nov 2016 13:17:54 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242744#M3785 sloshburch 2016-11-21T13:17:54Z https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242745#M3786 <P>Gooooood info. Thanks! </P> Tue, 22 Nov 2016 18:21:52 GMT https://community.splunk.com/t5/Installation/How-to-validate-actual-GB-count-of-license-usage/m-p/242745#M3786 a212830 2016-11-22T18:21:52Z