Solved: Is there away to find the exact hostname from the ...

rickymckenzie10

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by h fixedrange=false  
| join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
| eval _time=_time - 43200 
| bin _time span=1d 
| dedup _time stack 
| stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

livehybrid

Hi @rickymckenzie10

Its not possible to un-squash existing squashed details, the threshold for the squashing is controlled within server.conf however it is generally not recommended to change this due to potential performance implications, see https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Serverconf#:~:text=set.%0A*%20Default%3A%20... for more info:

squash_threshold = <positive integer>
* Periodically the indexer must report to license manager
  the data indexed broken down by source, sourcetype, host, and index. If
  the number of distinct (source, sourcetype, host, index) tuples grows over
  the 'squash_threshold', the (host, source) values are squashed and only a
  breakdown by (sourcetype, index) is reported. This is to prevent explosions in
  memory + license_usage.log lines.
* This is an advanced setting. Set it only after consulting a Splunk
  Support engineer.
* This needs to be set on license peers as well as the license
  manager.
* Default: 2000

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid

Hi @rickymckenzie10

Its not possible to un-squash existing squashed details, the threshold for the squashing is controlled within server.conf however it is generally not recommended to change this due to potential performance implications, see https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Serverconf#:~:text=set.%0A*%20Default%3A%20... for more info:

squash_threshold = <positive integer>
* Periodically the indexer must report to license manager
  the data indexed broken down by source, sourcetype, host, and index. If
  the number of distinct (source, sourcetype, host, index) tuples grows over
  the 'squash_threshold', the (host, source) values are squashed and only a
  breakdown by (sourcetype, index) is reported. This is to prevent explosions in
  memory + license_usage.log lines.
* This is an advanced setting. Set it only after consulting a Splunk
  Support engineer.
* This needs to be set on license peers as well as the license
  manager.
* Default: 2000

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Is there away to find the exact hostname from the (SQUASHED) details in Splunk?

indexer

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Is there away to find the exact hostname from the (SQUASHED) details in Splunk?

indexer

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability