I just noticed a difference in license usage when looking at 30 days license usage.
With "no split" I am within license limit by 60GB or so, but with "split by" for example by index, I am way over our license limit?
It differs like 90GB or so in total between "no split" and "split by"?
No warnings are shown about license usage, so I think that "no split" shows the correct summary.
Anybody has a clue as to why?
We have an Index Cluster with two servers and have the same issue in the monitoring console.
The "/opt/splunk/var/log/splunk/license_usage.log" is synced between both indexers. It counts the bytes twice , so we always see double the usage size when split by index.
Now, instead, we use the Usage Report on the license master (en-GB/manager/search/licenseusage) where it works.
Try to find a rare byte value in your logs from the search below. You should see the log coming in from all your Splunk Servers.
`dmc_set_index_internal` source=*license_usage.log* type="Usage"
Enter the rare byte value.
`dmc_set_index_internal` source=*license_usage.log* type="Usage" <Rare Byte Value>
Firstly, creating a new thread with your situation description (possibly pointing to an old thread for reference) might be beneficial for your question visibility.
Secondly, why would you sync a log file between indexers???
1. It is a response to the question above.
2. Maybe we have a configuration issue then, and @alexanderl might has the same. But that is not exactly the point. I just wanted to add some help on the discussion to "Anybody has a clue as to why?". In our case this is the problem.`dmc_licensing_usage_all()' just adds up those number and returns double the actual license usage.