- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- How to resolve mismatch in daily license usage vs....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have ran some query for Data coming through all of the forwarders and matched it with actual daily license utilization.
some of the queries are,
- index=_internal group=* group=per_host_thruput | bucket _time span=1d|bin _time |eval time=strftime(_time,"%m/%d/%y") | eval kb=(kb/1024/1024) | stats sum(kb) as SUM by time series | xyseries series time SUM |sort -SUM
- index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Its weird that results the search are showing is far greater than the actual utilzation, ran it for today accounting all forwarders & the sum shows almost 500Gigs of data where as license utilization is 280+Gigs only.
Is it something wrong with the search or am i missing out something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunker12er, tried your's query but the only host it is showing is license master itself not any other.
However try this query, it gives exact license usage per host along with index, source and sourcetype.
index=_internal [set_local_host] source=license_usage.log type="Usage"
2. | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
3. | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
4. | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
5. |dedup _time host i b s st h idx
6. | bin _time span=1d
7. | stats sum(b) as b values(s) As Source values(st) As sourceType values(idx) As Index values(_time) As Time by h
8. | eval r_GB=b/1024/1024/1024 | convert ctime(Time) timeformat="%m/%d%Y %H:%M:%S %z"
9. |sort -r_GB
Enjoy!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunker12er, tried your's query but the only host it is showing is license master itself not any other.
However try this query, it gives exact license usage per host along with index, source and sourcetype.
index=_internal [set_local_host] source=license_usage.log type="Usage"
2. | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
3. | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
4. | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
5. |dedup _time host i b s st h idx
6. | bin _time span=1d
7. | stats sum(b) as b values(s) As Source values(st) As sourceType values(idx) As Index values(_time) As Time by h
8. | eval r_GB=b/1024/1024/1024 | convert ctime(Time) timeformat="%m/%d%Y %H:%M:%S %z"
9. |sort -r_GB
Enjoy!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this query on license master, this gives correct license usage stats per host
index=_internal source=*license_usage.log* type=Usage
| bucket _time span=1d
| stats sum(b) AS volume_bytes by _time host pool i
| eval volume_GB=round(volume_bytes/1024/1024/1024,2)
| rename i AS indexer_GUID
| JOIN indexer_GUID [ | REST /services/licenser/slaves | table title label | rename title AS indexer_GUID| rename label AS indexer_name]
Index This | What are the 12 Days of Splunk-mas?
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
