Installation
Highlighted

When reviewing License Usage for the previous 30 days, why is the usage not matching between "No Split" and "Split by Index"?

Communicator

When I review my license usage for the past 30 days with No Split I average 330-380GB which sounds accurate. However If I split by Index (each source is split into indexes) I average 730+GB. My checkpoint firewall/IPS index alone shows as having used 500GB daily. I'm only licensed for 500GB a day and have no license warnings or violations which leads me to believe No Split is accurate, but I'm trying to understand why no split reports differently than by index?

I have an indexer cluster of 4 indexers with a rep factor of 2. I also have a heavy forwarder that I use with two of my indexes, one of which is checkpoint. The Heavy Forwarder is set to only forward and not index, could it still be counting towards my license usage history for some reason?

Labels (1)
0 Karma
Highlighted

Re: When reviewing License Usage for the previous 30 days, why is the usage not matching between "No Split" and "Split by Index"?

SplunkTrust
SplunkTrust

What query you're using to check the license usage, from metrics.log or license_usage.log?

0 Karma
Highlighted

Re: When reviewing License Usage for the previous 30 days, why is the usage not matching between "No Split" and "Split by Index"?

Communicator

I'm using the built in Distributed Management Console.

0 Karma
Highlighted

Re: When reviewing License Usage for the previous 30 days, why is the usage not matching between "No Split" and "Split by Index"?

SplunkTrust
SplunkTrust

Are you using these queries?

https://answers.splunk.com/answers/355874/how-to-find-license-usage-by-indexes.html

If not, please post the queries you are using for "no split" and "split by index".

0 Karma