Running Splunk 6 and using the Universal Forwarder (Version 6.0.182611) to forward IIS to splunk. Indexing is working correctly however we have had license breaches in the last 2 days since adding the IIS source where I believe we should have had spare capacity.
The size of the log files on the server (~120mb yesterday) doesn't seem to match the indexing size even closely. Running the search for yesterday (Only 1 IIS server currently so only 1 sourcetype=iis):
sourcetype=iis | eval size=len(_raw) | stats sum(size)
This search shows it at around around 700mb. Is there a trick to IIS and log usage? How would a 120mb log file consume so much more that its actual size?
This question seems similar to http://answers.splunk.com/answers/129381/iis-log-over-my-licensing which no one has responded.
Any tips, clues, links etc....
the query shows that it was indeed the new IIS logs that were breaking the license.
sourcetype=iis | eval raw=_raw | convert ctime(_indextime) AS idxtime | stats count AS event_count dc(idxtime) as idxtimes_count, values(source), values(idxtime) by raw | where event_count > 1
is showing that every event is being indexed multiple times. I am still working with support to solve the problem, but I will post any resolution here in case it helps anyone else.
If you want to find out the usage the best way is to use the _internal index.
The flowing search will break license usage by sourcetype and index.
This should get you started
index=_internal source=*license_usage.log type=Usage earliest=-2d@d latest=-1d@d | rename st as sourcetype, idx as index, b as bytes | fields sourcetype index host bytes | stats sum(eval((bytes/1024)/1024)) as MB by sourcetype index