Getting Data In

Why does license usage differ between the number found using RolloverSummary versus Usage from the license_usage.log file?

Communicator

I did the two following searches using the same license_usage.log file and got different results for yesterday's total bytes used by that indexer. Why are they different and which is more accurate?

index=_internal host=splunk source=*license_usage.log type="RolloverSummary" slave=09F538B3-E658-4C42-A213-EE89679465E0 | eval _time=_time - 43200 | bin _time span=1d  | eval TotalBytes=b/1024/1024/1024

Result: 63.288 GB

index = _internal host = splunk source = *license_usage.log type = "Usage" i=09F538B3-E658-4C42-A213-EE89679465E0 | stats sum(b) as TotalBytes | eval TotalBytes=TotalBytes/1024/1024/1024

Result: 63.2525 GB

Same time span - different result.

0 Karma

Splunk Employee
Splunk Employee

Usage is a blanket counter which increments whenever something is indexed. RolloverSummary is a tall(sum) of the days usage which is calculated just after midnight. There is likely a discrepancy with the time period searched leaving a gap between the summary evaluation and the time period beginning/end.

0 Karma

Path Finder

I am seeying the same as coleman07 describes, only that this is happening in LURV (http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/AboutSplunksLicenseUsageReportView ). When going into the "Previous 30 Days" tab and choosing no splitby, a license violation is shown, when switching to a splitby (e.g. index), there a still 50GB free before the pool size is reached. So there's a delta of 50GB between "RolloverSummary" and "Usage" calculations.

Trying to find these unaccounted, missing 50GB has been unfruitful so far.

Can you please elaborate a little more on these artificats? What volume does count towards license volume, is it "RolloverSummary"?

0 Karma

Path Finder

Now with the new DMC in v6.4 there are still both types of license usage reporting. And it is Type=RolloverSummary, which is the reference for actual daily license count. Unfortunately Type=RolloverSummary does not offer the sourcetype. Only Type=Usage does. Yesterday we had delta of 120GB between both license usages calculation types. It is thus nearly impossible do analyze a license violation down to the sourcetype / data source which caused it, when missing 120GB in the reporting.
One could think that splunk has no interest in offering a license usage report, which would allow customers to identify what data sources they spend their money on.

0 Karma