Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

License usage: What is the difference in total usage when using "split by" and "no split"?

alexanderl
Engager
‎02-21-2022 06:21 AM

I just noticed a difference in license usage when looking  at 30 days license usage.

With "no split" I am within license limit by 60GB or so, but with "split by" for example by index, I am way over our license limit?

It differs like 90GB or so in total between "no split" and "split by"?

No warnings are shown about license usage, so I think that "no split" shows the correct summary.

Anybody has a clue as to why?

Labels (1)
Labels
Reply

anel
Explorer
‎11-23-2022 11:39 PM

We have an Index Cluster with two servers and have the same issue in the monitoring console. 

The "/opt/splunk/var/log/splunk/license_usage.log" is synced between both indexers. It counts the bytes twice , so we always see double the usage size when split by index. 

Now, instead, we use the Usage Report on the license master (en-GB/manager/search/licenseusage) where it works. 

Try to find a rare byte value in your logs from the search below. You should see the log coming in from all your Splunk Servers.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage"

 

Enter the rare byte value.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage" <Rare Byte Value>

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2022 01:50 AM

Firstly, creating a new thread with your situation description (possibly pointing to an old thread for reference) might be beneficial for your question visibility.

Secondly, why would you sync a log file between indexers???

0 Karma
Reply

anel
Explorer
‎11-24-2022 02:26 AM

Hi, 

1. It is a response to the question above. 

2. Maybe we have a configuration issue then, and @alexanderl might has the same. But that is not exactly the point. I just wanted to add some help on the discussion to "Anybody has a clue as to why?". In our case this is the problem.`dmc_licensing_usage_all()' just adds up those number and returns double the actual license usage. 

anel_0-1669285444959.png

 

 

 
 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2022 02:29 AM

OK. I interpreted it a bit like "we have similar issue, help us" 🙂 No worries.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-22-2022 01:51 AM
I just checked this on two environment single node and distributed with separate LM and I didn't notice this kind of difference. Both ways shows the same result.
r. Ismo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...