I am trying to calculate the license usage per day with the following query
index=_internal source="*license_usage.*" earliest=@d
| eval MB=round(b/1024/1024,1)
| eval License_Percent_Usage=round(MB/500 * 100,1)
| TABLE MB License_Percent_Usage date_mday host
This is for trial license so we have 500 MB limit. The result shows me:
that my license usage volume MB is 29000.1 while in Manager/Licensing i see the volume as 3019 Mb. How do I get that exact volume?
Here, try this to get licence usage and % usage for today
index=_internal source=license_usage.log type="RolloverSummary" earliest=@d | bin _time span=1d | stats latest(b) AS b latest(stacksz) AS stacksz by slave, pool, _time | stats sum(b) AS volumeB max(stacksz) AS stacksz by _time | eval pctused=round(volumeB/stacksz*100,2)
change earliest=@d to earliest=-30d@d to check for last 30 days and so on.
index=_internal source="*license_usage.log" type=RolloverSummary | timechart span=1d sum(b) AS DailyVolume | eval DailyVolume=round(DailyVolume/1024/1024/1024,2) | eval License="5"
The license usage of splunk 5.0 is compatible with 4.3, not 4.2. The search to check license usage will be following. Could you try it? I think your search result may be including summary indexed data volume.
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
The following site is also helpful. Please take loot at it.
http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
I found that wiki reference and link v useful, thanks for posting it Takajian.
splunk 5.0
The way that this is logged has changed dramatically across Splunk versions. What version are you running?