All Apps and Add-ons

Splunk usage metrics.log vs license_usage.log vs len(_raw)

Communicator

Hello Splunk Gurus,

I am observing some discrepancies between metrics.log, license_usage.log, and len(_raw).

I am looking at usage for 1 specific host through 1 single day.

Searches below:

License_usage.log (Calculated Usage=1 GB):

index=_internal source=*license_usage.log type=Usage h=myhost
| stats sum(b) as bytes by h 
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host

Metrics.log (Calculated Usage = 1GB):

index=_internal source=*metrics.lo* group="per_host_thruput" series=myhost
| eval MB=kb/1024 
|stats sum(MB) by series

Raw Events (Calculated Usage = 20 MB):

index=* OR index=_* host=myhost
| eval bytes=len(_raw) 
| stats sum(eval(bytes/1024/1024)) as mb, by index sourcetype

I am redirecting some events to the NULL queue. Therefore, those events would not show up the "Raw Events" search. However, what impact does the NULL queue have on metrics.log and license_usage.log? Is my assumption correct that len(raw) should somewhat approximate to the metrics on the metrics/license logs?

Thanks!

Splunk Employee
Splunk Employee

If you are using Splunk 6.0, use the new License Usage Report View. If you are using Splunk 5.x, install the latest version of the Splunk on Splunk app and it has the same view for your 5.x environment.

Splunk Employee
Splunk Employee

Are you using SoS 3.1.0? Just want to make sure you are using the latest version. If it still doesn't give you the reporting you need, please provide the details and I will make sure the developers of the app see this posting.

Communicator

I have SoS installed. It just does not give me the granularity that I need. Thanks!

0 Karma

Super Champion

Well, the first two searches will be your best measure of license usage.

The third search uses the len command which return the length of the string, which is not a direct measure of bytes. Calling it bytes does not make it bytes. Also, it includes data from the internal index, which does not count against the license.

Your last question about nullQueue - items sent to nullQueue are dropped prior to indexing, so they do not count against the index volume.

0 Karma

Super Champion

That is a good question. Does it matter if it is a 32 or 64 bit system? Or am I thinking too much?

Try it Without including the internal indexes - they are not counted against your license.

0 Karma

Communicator

Thank you! If the len command returns the character length of a string X and 1 character is 1 byte. Why would it not makes sense to call it bytes?

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!