Solved: How to understand actual license volume for index

evelenke · ‎01-14-2020

Hi Splunkers,

generally we use the approach to calculate license use for index by quering:
index="_internal" source="*metrics.log" group="per_index_thruput" series=myindex host=myindexer* | stats sum(kb) as mb | eval mb=mb/1024.
But when we calculate it like a real raw size with
index=myindex | eval mb=len(_raw) | stats sum(mb) as mb | eval mb=mb/1024/1024
we may have big difference, for example for one of indexes it is 4 Gb against 180mb!
Why is it so, please explain

evelenke · ‎01-14-2020

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

View solution in original post

evelenke · ‎01-14-2020

HI,

sorry, I've figured out the problem - the reason of this is that at that day many of events for previous period was added to audit.
How should I handle this question correctly?

mdsnmss · ‎01-15-2020

You can just mark your response here as the answer. That way the question will be marked as resolved and answered.

mdsnmss · ‎01-14-2020

Have you narrowed your license usage down to a single index in _internal? You have a single index search for real raw but the other search provided gives info for all indexes.

index="_internal" source="*metrics.log" group="per_index_thruput" series="myindex" 
| eval mb=kb/1024 
| stats sum(mb) as mb

index=myindex 
| eval b=len(_raw) 
| stats sum(mb) as mb 
| eval mb=b/1024/1024

Is it the _internal or the raw search that shows as the higher number? You also want to look at conversion. Len will give you bytes vs. the _internal data that provides it in kb.

How to understand actual license volume for index

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!