Installation

License usage: What is the difference in total usage when using "split by" and "no split"?

alexanderl
Engager

I just noticed a difference in license usage when looking  at 30 days license usage.

With "no split" I am within license limit by 60GB or so, but with "split by" for example by index, I am way over our license limit?

It differs like 90GB or so in total between "no split" and "split by"?

No warnings are shown about license usage, so I think that "no split" shows the correct summary.

Anybody has a clue as to why?

Labels (1)

anel
Explorer

We have an Index Cluster with two servers and have the same issue in the monitoring console. 

The "/opt/splunk/var/log/splunk/license_usage.log" is synced between both indexers. It counts the bytes twice , so we always see double the usage size when split by index. 

Now, instead, we use the Usage Report on the license master (en-GB/manager/search/licenseusage) where it works. 

Try to find a rare byte value in your logs from the search below. You should see the log coming in from all your Splunk Servers.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage"

 

Enter the rare byte value.

 

`dmc_set_index_internal` source=*license_usage.log* type="Usage" <Rare Byte Value>

 

 

0 Karma

PickleRick
Ultra Champion

Firstly, creating a new thread with your situation description (possibly pointing to an old thread for reference) might be beneficial for your question visibility.

Secondly, why would you sync a log file between indexers???

0 Karma

anel
Explorer

Hi, 

1. It is a response to the question above. 

2. Maybe we have a configuration issue then, and @alexanderl might has the same. But that is not exactly the point. I just wanted to add some help on the discussion to "Anybody has a clue as to why?". In our case this is the problem.`dmc_licensing_usage_all()' just adds up those number and returns double the actual license usage. 

anel_0-1669285444959.png

 

 

 
 
0 Karma

PickleRick
Ultra Champion

OK. I interpreted it a bit like "we have similar issue, help us" 🙂 No worries.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I just checked this on two environment single node and distributed with separate LM and I didn't notice this kind of difference. Both ways shows the same result.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...