All Apps and Add-ons

How to understand actual license volume for index

evelenke
Contributor

Hi Splunkers,

generally we use the approach to calculate license use for index by quering:
index="_internal" source="*metrics.log" group="per_index_thruput" series=myindex host=myindexer*
| stats sum(kb) as mb
| eval mb=mb/1024
.
But when we calculate it like a real raw size with
index=myindex
| eval mb=len(_raw)
| stats sum(mb) as mb
| eval mb=mb/1024/1024

we may have big difference, for example for one of indexes it is 4 Gb against 180mb!
Why is it so, please explain

0 Karma
1 Solution

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

View solution in original post

0 Karma

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

You can just mark your response here as the answer. That way the question will be marked as resolved and answered.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

Have you narrowed your license usage down to a single index in _internal? You have a single index search for real raw but the other search provided gives info for all indexes.

index="_internal" source="*metrics.log" group="per_index_thruput" series="myindex" 
| eval mb=kb/1024 
| stats sum(mb) as mb

index=myindex 
| eval b=len(_raw) 
| stats sum(mb) as mb 
| eval mb=b/1024/1024

Is it the _internal or the raw search that shows as the higher number? You also want to look at conversion. Len will give you bytes vs. the _internal data that provides it in kb.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it ...