Installation

License reporting: Usage vs Rollover Summary

lpino
Path Finder

Hi all,
I've already been searching for an answer to my question within the community but I didn't find anything exhaustive. 
Basically, I noticed different number for license usage if computed using the Rollover Summary (the "official" one) vs the Usage log type. Of course, I know that Rollover Summary logs refer to the previous day.
Having in mind this, the issue happens not every day, but sometimes the license usage computed using the "Usage" logs is about 10% greater than the Rollover Summary.
I'd like to understand why this happens since I'm experiencing some license violations and I'm trying to investigate which index/sourcetype is the main responsible. But this is not easy since the detailed usage aggregated doesn't correspond to the Rollover Summary.
Just to be more clear, if I run this search on the License Master, I get a number for yesterday (say 100 GB):

 

index=_telemetry source=*license_usage_summary.log 
| eval _time=_time - 43200, usage_GB = round(b/1024/1024/1024, 3)
| timechart span=1d sum(usage_GB) as usage_GB 

 

 while if I run this one, split by index, the aggregate gives me a value about 10% higher (110 GB):

 

index=_internal source=*license_usage.log* type=Usage st!="modular*" 
| eval gb=b/1024/1024/1024
| timechart span=1d sum(gb) AS idx_volume_GB by idx

 

The License Master is enabled on a Windows 2016 Server, with Splunk 7.3.6.
Does anyone know why this happens and how to overcome this "issue"?

Thanks in advance

Labels (1)
0 Karma

jodonald
Explorer

The license usage in the _internal logs is what Splunk uses to calculate and compare against your license.  So that should be considered the "source of truth".

The search you posted for searching the licensing logs is purposely excluding the sourcetype(s) starting with modular*, which may be impacted the results.  Remove that from the search and see if the numbers are closer.

The licensing in the _telemetry is a summarization of the data in the _internal logs that is optionally sent to Splunk for supporting your environment.

 

references:

How Splunk Enterprise licensing works - Splunk Documentation

 

Hope that helps.

0 Karma

lpino
Path Finder

Hi @jodonald, thanks for your answer.
Unfortunately, the sourcetype "modular*" doesn't impact that much on license (it's just about 1 MB/day), while the difference between the Rollover Summary and the Usage logs is 5-6 GB in my environment.

So, even after removing that clause the results are way different:

index=_internal source=*license_usage.log* type=Usage
| eval gb=b/1024/1024/1024
| timechart span=1d sum(gb) AS idx_volume_GB by idx

As per what I read in other posts, the value reported in the Rollover Summary (also available in the _internal index) is the "official" one used for licensing (this is the value shown in the Splunk License Usage Report page in the GUI), so I am confident that this is the right value.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!