Re: Why is my license host blank?

a212830 · ‎10-21-2016

Hi,

I ran the following search to get a license usage report by idx, sourcetype and host. One of the hosts is coming in as blank. Why is that?

index=_internal source=*license_usage.log type="Usage" idx=ngcc* 
 | fields _time, st, b, idx, h
 | bin _time span=1d 
 | stats sum(b) as GB by _time, idx, st, h
 | eval GB=round(GB/1024/1024/1024, 3)
 | rename st as sourcetypename
 | join type=left i [
     | rest count=0 /services/licenser/slaves 
     | rename label as slave | search (slave=host1 OR slave=host2)
     | rename title as i 
     | table i slave
 ]

somesoni2 · ‎10-21-2016

The reason for blank host (field 'h') or sourcetype (st)/source(s) is due to squashing in license logs.

Here is the details about it from Splunk Doc

Squashing

Every indexer periodically reports to license manager stats of the data indexed: broken down by source, source type, host, and index. If the number of distinct (source, source type, host, index) tuples grows over the squash_threshold, Splunk squashes the {host, source} values and only reports a breakdown by {sourcetype, index}. This is to prevent explosions in memory and license_usage.log lines.

Because of squashing on the other fields, only the split-by source type and index will guarantee full reporting (every byte). Split by source and host do not guarantee full reporting necessarily, if those two fields represent many distinct values. Splunk reports the entire quantity indexed, but not the names. So you lose granularity (that is, you don't know who consumed that amount), but you still know what the amount consumed is.

Squashing is configurable (with care!) in server.conf, in the [license] stanza, with the squash_threshold setting. You can increase the value, but doing so can use a lot of memory, so consult a Splunk Support engineer before changing it.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/AboutSplunksLicenseUsageReportView#Split-by:...

sloshburch · ‎10-21-2016

Agreed. +1

gcusello · ‎10-21-2016

I think because the "i" field that you use to join the two searches doesn't match in the first search: if you use an inner join you don't find anything!
Bye.
Giuseppe

a212830 · ‎10-21-2016

Why would one server not match?

gcusello · ‎10-21-2016

You have to separately see in both the searches which are values of "i" field that you used for join, probably in the first one you haven't it.
Bye.
Giuseppe

a212830 · ‎10-21-2016

I would expect nothing to match, if that's the case.

gcusello · ‎10-22-2016

If you're expecting no match how can you have results?
Every way,as first thing you have to verify if they match the i field to be sure that correlation is working.
After you can verify slaves that don't verify your condition, otherwise how can you know if your rule is correct or not?
In particular verify the "i" field because it's the join key and you have to verify that this field is present in both the searches and in the same format (upper, extensions, ...).
In you screenshot slave field is blank but also i field is blank, you are using a left join, so probably i field doesn't match.

Bye.
Giuseppe

Why is my license host blank?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation