When reviewing License Usage for the previous 30 d...

Kieffer87 · ‎03-20-2017

When I review my license usage for the past 30 days with No Split I average 330-380GB which sounds accurate. However If I split by Index (each source is split into indexes) I average 730+GB. My checkpoint firewall/IPS index alone shows as having used 500GB daily. I'm only licensed for 500GB a day and have no license warnings or violations which leads me to believe No Split is accurate, but I'm trying to understand why no split reports differently than by index?

I have an indexer cluster of 4 indexers with a rep factor of 2. I also have a heavy forwarder that I use with two of my indexes, one of which is checkpoint. The Heavy Forwarder is set to only forward and not index, could it still be counting towards my license usage history for some reason?

DalJeanis · ‎03-20-2017

Are you using these queries?

https://answers.splunk.com/answers/355874/how-to-find-license-usage-by-indexes.html

If not, please post the queries you are using for "no split" and "split by index".

somesoni2 · ‎03-20-2017

What query you're using to check the license usage, from metrics.log or license_usage.log?

Kieffer87 · ‎03-20-2017

I'm using the built in Distributed Management Console.

When reviewing License Usage for the previous 30 days, why is the usage not matching between "No Split" and "Split by Index"?

license

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms