Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License usage: What is the difference in total usage when using "split by" and "no split"?

alexanderl
Engager
‎02-21-2022 06:21 AM

I just noticed a difference in license usage when looking  at 30 days license usage.

With "no split" I am within license limit by 60GB or so, but with "split by" for example by index, I am way over our license limit?

It differs like 90GB or so in total between "no split" and "split by"?

No warnings are shown about license usage, so I think that "no split" shows the correct summary.

Anybody has a clue as to why?

Labels (1)
Labels
Reply

anel
Explorer
‎11-23-2022 11:39 PM

We have an Index Cluster with two servers and have the same issue in the monitoring console. 

The "/opt/splunk/var/log/splunk/license_usage.log" is synced between both indexers. It counts the bytes twice , so we always see double the usage size when split by index. 

Now, instead, we use the Usage Report on the license master (en-GB/manager/search/licenseusage) where it works. 

Try to find a rare byte value in your logs from the search below. You should see the log coming in from all your Splunk Servers.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage"

 

Enter the rare byte value.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage" <Rare Byte Value>

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2022 01:50 AM

Firstly, creating a new thread with your situation description (possibly pointing to an old thread for reference) might be beneficial for your question visibility.

Secondly, why would you sync a log file between indexers???

0 Karma
Reply

anel
Explorer
‎11-24-2022 02:26 AM

Hi, 

1. It is a response to the question above. 

2. Maybe we have a configuration issue then, and @alexanderl might has the same. But that is not exactly the point. I just wanted to add some help on the discussion to "Anybody has a clue as to why?". In our case this is the problem.`dmc_licensing_usage_all()' just adds up those number and returns double the actual license usage. 

anel_0-1669285444959.png

 

 

 
 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2022 02:29 AM

OK. I interpreted it a bit like "we have similar issue, help us" 🙂 No worries.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-22-2022 01:51 AM
I just checked this on two environment single node and distributed with separate LM and I didn't notice this kind of difference. Both ways shows the same result.
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top