Why are two different queries that return license usage by host getting different results (with several hosts missing)?



I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.

Following query gave results for 10 hosts.

index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024)  | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f

Whereas the following gave data only for 7 of them.

index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz*   | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)

We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?


~ Abhi

0 Karma


It might not be possible from the metrics log because if you have a lot of hosts/sources/sourcetypes, they will be squashed and summarised. It does this to stop the metrics log from becoming huge.

You could run a search like this instead, however it is going to be very slow:

index=whatever | eval len = len(_raw) | stats sum(len) by host

That will tell you the answer in bytes.

0 Karma