All Apps and Add-ons

Getting throughput info from indexers without Licence server?

griersoncrick
Explorer

In short, we don't have direct access to our licensing server (it's being managed by our service provider) - but we still need to know what the volume of indexed data is each day.

We do get a report from our service provider each day with licence usage data, but we want a dashboard doing the same.

We found that running this SPL query:

index="_internal" source="*metrics.log" per_index_thruput source="/opt/splunk/var/log/splunk/metrics.log" 
| eval gb=kb/1024/1024
| timechart span=1d sum(gb) as "Total Per Day" by series useother=f 
| fields - VALUE_*

It sort of works, but the values we get are not matching the licence usage report we are getting. It's adding about 1/3rd more to the totals.

We've got indexer and search head clusters (3 in each), splunk enterprise 8.0.0.

Any advise appreciated!

0 Karma

griersoncrick
Explorer

I've tried without any conversion - and the the results are no different when I take the KB total and convert elsewhere.

The report we get from our service provider is lower on the Licence usage than our Throughput logs from each of the indexers. Is that normal?

0 Karma

martynoconnor
Communicator

Depending on where and when in the search process the conversion from kilobytes to gigabytes is done, rounding errors may be coming into play. Try perhaps not doing the conversion till after the sum. That should help minimise the error, especially if you have lots of small bits of data coming in.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ griersoncrick,
did you tried with the Splunk Monitoring Console? [Settings -- Monitoring Console -- Indexing -- License Usage -- License Usage - Previous 30 Days].

Ciao.
Giuseppe

0 Karma

griersoncrick
Explorer

Yes - although it requires access to the licence-master, and we don;'t have access due to the way our service provider manages the service.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...