I've already been searching for an answer to my question within the community but I didn't find anything exhaustive.
Basically, I noticed different number for license usage if computed using the Rollover Summary (the "official" one) vs the Usage log type. Of course, I know that Rollover Summary logs refer to the previous day.
Having in mind this, the issue happens not every day, but sometimes the license usage computed using the "Usage" logs is about 10% greater than the Rollover Summary.
I'd like to understand why this happens since I'm experiencing some license violations and I'm trying to investigate which index/sourcetype is the main responsible. But this is not easy since the detailed usage aggregated doesn't correspond to the Rollover Summary.
Just to be more clear, if I run this search on the License Master, I get a number for yesterday (say 100 GB):
index=_telemetry source=*license_usage_summary.log | eval _time=_time - 43200, usage_GB = round(b/1024/1024/1024, 3) | timechart span=1d sum(usage_GB) as usage_GB
while if I run this one, split by index, the aggregate gives me a value about 10% higher (110 GB):
index=_internal source=*license_usage.log* type=Usage st!="modular*" | eval gb=b/1024/1024/1024 | timechart span=1d sum(gb) AS idx_volume_GB by idx
The License Master is enabled on a Windows 2016 Server, with Splunk 7.3.6.
Does anyone know why this happens and how to overcome this "issue"?
Thanks in advance
The license usage in the _internal logs is what Splunk uses to calculate and compare against your license. So that should be considered the "source of truth".
The search you posted for searching the licensing logs is purposely excluding the sourcetype(s) starting with modular*, which may be impacted the results. Remove that from the search and see if the numbers are closer.
The licensing in the _telemetry is a summarization of the data in the _internal logs that is optionally sent to Splunk for supporting your environment.
Hope that helps.
Hi @jodonald, thanks for your answer.
Unfortunately, the sourcetype "modular*" doesn't impact that much on license (it's just about 1 MB/day), while the difference between the Rollover Summary and the Usage logs is 5-6 GB in my environment.
So, even after removing that clause the results are way different:
index=_internal source=*license_usage.log* type=Usage | eval gb=b/1024/1024/1024 | timechart span=1d sum(gb) AS idx_volume_GB by idx
As per what I read in other posts, the value reported in the Rollover Summary (also available in the _internal index) is the "official" one used for licensing (this is the value shown in the Splunk License Usage Report page in the GUI), so I am confident that this is the right value.