All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to understand actual license volume for index

evelenke
Contributor
‎01-14-2020 09:27 AM

Hi Splunkers,

generally we use the approach to calculate license use for index by quering:
index="_internal" source="*metrics.log" group="per_index_thruput" series=myindex host=myindexer*
| stats sum(kb) as mb
| eval mb=mb/1024.
But when we calculate it like a real raw size with
index=myindex
| eval mb=len(_raw)
| stats sum(mb) as mb
| eval mb=mb/1024/1024
we may have big difference, for example for one of indexes it is 4 Gb against 180mb!
Why is it so, please explain

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

evelenke
Contributor
‎01-14-2020 03:07 PM

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

evelenke
Contributor
‎01-14-2020 03:07 PM

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

0 Karma
Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-15-2020 05:47 AM

You can just mark your response here as the answer. That way the question will be marked as resolved and answered.

0 Karma
Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-14-2020 10:55 AM

Have you narrowed your license usage down to a single index in _internal? You have a single index search for real raw but the other search provided gives info for all indexes.

index="_internal" source="*metrics.log" group="per_index_thruput" series="myindex" 
| eval mb=kb/1024 
| stats sum(mb) as mb

index=myindex 
| eval b=len(_raw) 
| stats sum(mb) as mb 
| eval mb=b/1024/1024

Is it the _internal or the raw search that shows as the higher number? You also want to look at conversion. Len will give you bytes vs. the _internal data that provides it in kb.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...