Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does metrics.log search on a clustered environment display double the license usage value from the license master?

DavidHourani
Super Champion
‎12-02-2016 03:11 AM

Hello Splunkers,

I am trying to understand the results of the following command on a Search Head (SH) in a clustered environment (Search Head cluster + indexer cluster):

index="_internal" source="*metrics.log" per_index_thruput  | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

Using it on a standalone instance this gives me the same values as my license usage. When I use it on a SH in a clustered environment, it's giving me double the license usage value from the license master.

Any idea why this could be the case? Does replication have anything to do with it?

Regards,
David

Labels (3)
Labels
0 Karma
Reply

twinspop
Influencer
‎12-02-2016 07:03 AM

Metrics logs are produced by all Splunk instances. If you have forwarders sending logs to an indexer, for example, you will potentially have 2 sets of metrics logs for any one category/series. You can get around this problem in 1 of 2 ways:

1) Isolate your search to your indexer(s) using host=your_indexer. The drawback here is that metrics are samples. By default, splunk only tracks the top 10 in each category. You can adjust this with maxseries under the metrics stanza in limits.conf.

2) Isolate your search to only the forwarders. One way to do this would be to EXCLUDE the indexers from your search: host!=your_indexer. Splunk still only tracks the top 10, but each forwarder has their own top 10, and you're more likely to get a complete(r) picture.

0 Karma
Reply

twinspop
Influencer
‎12-02-2016 07:24 AM

Also, see here for more Metrics goodness:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Aboutmetricslog

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...