All Apps and Add-ons

How to understand actual license volume for index

evelenke
Contributor

Hi Splunkers,

generally we use the approach to calculate license use for index by quering:
index="_internal" source="*metrics.log" group="per_index_thruput" series=myindex host=myindexer*
| stats sum(kb) as mb
| eval mb=mb/1024
.
But when we calculate it like a real raw size with
index=myindex
| eval mb=len(_raw)
| stats sum(mb) as mb
| eval mb=mb/1024/1024

we may have big difference, for example for one of indexes it is 4 Gb against 180mb!
Why is it so, please explain

0 Karma
1 Solution

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

View solution in original post

0 Karma

evelenke
Contributor

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

You can just mark your response here as the answer. That way the question will be marked as resolved and answered.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

Have you narrowed your license usage down to a single index in _internal? You have a single index search for real raw but the other search provided gives info for all indexes.

index="_internal" source="*metrics.log" group="per_index_thruput" series="myindex" 
| eval mb=kb/1024 
| stats sum(mb) as mb

index=myindex 
| eval b=len(_raw) 
| stats sum(mb) as mb 
| eval mb=b/1024/1024

Is it the _internal or the raw search that shows as the higher number? You also want to look at conversion. Len will give you bytes vs. the _internal data that provides it in kb.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...