- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my license host blank?
Hi,
I ran the following search to get a license usage report by idx, sourcetype and host. One of the hosts is coming in as blank. Why is that?
index=_internal source=*license_usage.log type="Usage" idx=ngcc*
| fields _time, st, b, idx, h
| bin _time span=1d
| stats sum(b) as GB by _time, idx, st, h
| eval GB=round(GB/1024/1024/1024, 3)
| rename st as sourcetypename
| join type=left i [
| rest count=0 /services/licenser/slaves
| rename label as slave | search (slave=host1 OR slave=host2)
| rename title as i
| table i slave
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason for blank host (field 'h') or sourcetype (st)/source(s) is due to squashing in license logs.
Here is the details about it from Splunk Doc
Squashing
Every indexer periodically reports to license manager stats of the data indexed: broken down by source, source type, host, and index. If the number of distinct (source, source type, host, index) tuples grows over the squash_threshold, Splunk squashes the {host, source} values and only reports a breakdown by {sourcetype, index}. This is to prevent explosions in memory and license_usage.log lines.
Because of squashing on the other fields, only the split-by source type and index will guarantee full reporting (every byte). Split by source and host do not guarantee full reporting necessarily, if those two fields represent many distinct values. Splunk reports the entire quantity indexed, but not the names. So you lose granularity (that is, you don't know who consumed that amount), but you still know what the amount consumed is.
Squashing is configurable (with care!) in server.conf, in the [license] stanza, with the squash_threshold setting. You can increase the value, but doing so can use a lot of memory, so consult a Splunk Support engineer before changing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed. +1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think because the "i" field that you use to join the two searches doesn't match in the first search: if you use an inner join you don't find anything!
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would one server not match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to separately see in both the searches which are values of "i" field that you used for join, probably in the first one you haven't it.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would expect nothing to match, if that's the case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're expecting no match how can you have results?
Every way,as first thing you have to verify if they match the i field to be sure that correlation is working.
After you can verify slaves that don't verify your condition, otherwise how can you know if your rule is correct or not?
In particular verify the "i" field because it's the join key and you have to verify that this field is present in both the searches and in the same format (upper, extensions, ...).
In you screenshot slave field is blank but also i field is blank, you are using a left join, so probably i field doesn't match.
Bye.
Giuseppe
