Hello Splunk Gurus,
I am observing some discrepancies between metrics.log, licenseusage.log, and len(raw).
I am looking at usage for 1 specific host through 1 single day.
License_usage.log (Calculated Usage=1 GB):
index=_internal source=*license_usage.log type=Usage h=myhost | stats sum(b) as bytes by h | eval MB = round(bytes/1024/1024,1) | fields h MB | rename h as host
Metrics.log (Calculated Usage = 1GB):
index=_internal source=*metrics.lo* group="per_host_thruput" series=myhost | eval MB=kb/1024 |stats sum(MB) by series
Raw Events (Calculated Usage = 20 MB):
index=* OR index=_* host=myhost | eval bytes=len(_raw) | stats sum(eval(bytes/1024/1024)) as mb, by index sourcetype
I am redirecting some events to the NULL queue. Therefore, those events would not show up the "Raw Events" search. However, what impact does the NULL queue have on metrics.log and license_usage.log? Is my assumption correct that len(raw) should somewhat approximate to the metrics on the metrics/license logs?
Well, the first two searches will be your best measure of license usage.
The third search uses the len command which return the length of the string, which is not a direct measure of bytes. Calling it bytes does not make it bytes. Also, it includes data from the internal index, which does not count against the license.
Your last question about nullQueue - items sent to nullQueue are dropped prior to indexing, so they do not count against the index volume.
Thank you! If the len command returns the character length of a string X and 1 character is 1 byte. Why would it not makes sense to call it bytes?
That is a good question. Does it matter if it is a 32 or 64 bit system? Or am I thinking too much?
Try it Without including the internal indexes - they are not counted against your license.
Are you using SoS 3.1.0? Just want to make sure you are using the latest version. If it still doesn't give you the reporting you need, please provide the details and I will make sure the developers of the app see this posting.