All Apps and Add-ons

How to understand actual license volume for index

evelenke
Contributor

Hi Splunkers,

generally we use the approach to calculate license use for index by quering:
index="_internal" source="*metrics.log" group="per_index_thruput" series=myindex host=myindexer*
| stats sum(kb) as mb
| eval mb=mb/1024
.
But when we calculate it like a real raw size with
index=myindex
| eval mb=len(_raw)
| stats sum(mb) as mb
| eval mb=mb/1024/1024

we may have big difference, for example for one of indexes it is 4 Gb against 180mb!
Why is it so, please explain

0 Karma
1 Solution

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

View solution in original post

0 Karma

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

You can just mark your response here as the answer. That way the question will be marked as resolved and answered.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

Have you narrowed your license usage down to a single index in _internal? You have a single index search for real raw but the other search provided gives info for all indexes.

index="_internal" source="*metrics.log" group="per_index_thruput" series="myindex" 
| eval mb=kb/1024 
| stats sum(mb) as mb

index=myindex 
| eval b=len(_raw) 
| stats sum(mb) as mb 
| eval mb=b/1024/1024

Is it the _internal or the raw search that shows as the higher number? You also want to look at conversion. Len will give you bytes vs. the _internal data that provides it in kb.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...