Archive

Why are my search results for daily indexed data different from the the License Report > Daily Volume in the Deployment Monitor app?

Communicator

I have to calculate the amount of data to be indexed on a daily basis in a custom dashboard.
I was using the following search:

index=_internal source=*metrics.log    per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB)

and now when I see the Splunk Deployment Monitor app (License Report>>Daily Volume by Week for Last 4 weeks), the indexed data is half the amount of what I am getting from this search.
I need to understand the correct amount of indexed data, so is my search not pulling the correct data or the Deployment Monitor not reflecting the right amount of data?

0 Karma

Legend

There is a really nice answer to this question here:

Why an internal index search on perindex_thruput...

The bottom line, you should be looking at the license_usage.log on your license master.

0 Karma

Communicator

When I use licenseusage.log I get half the amount of volume count but when I use source="*metrics.log"
I get the twice the amount of volume compared to that of license
usage.log

When I use

 index="_internal" source=*license_usage.log* type=Usage  | eval b=b/(1024*1024) |timechart span=d sum(b) 

I get 49 GB for a specific Day
AND
When i use

 index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |timechart span=d sum(GB)

I get 98GB for that same day.

So as I understand metrics.log will only return top 10 values every second and will not give precise data?
But seems to be otherwise.

0 Karma