Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does metrics.log search on a clustered environment display double the license usage value from the license master?

DavidHourani
Super Champion
‎12-02-2016 03:11 AM

Hello Splunkers,

I am trying to understand the results of the following command on a Search Head (SH) in a clustered environment (Search Head cluster + indexer cluster):

index="_internal" source="*metrics.log" per_index_thruput  | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

Using it on a standalone instance this gives me the same values as my license usage. When I use it on a SH in a clustered environment, it's giving me double the license usage value from the license master.

Any idea why this could be the case? Does replication have anything to do with it?

Regards,
David

Labels (3)
Labels
0 Karma
Reply

twinspop
Influencer
‎12-02-2016 07:03 AM

Metrics logs are produced by all Splunk instances. If you have forwarders sending logs to an indexer, for example, you will potentially have 2 sets of metrics logs for any one category/series. You can get around this problem in 1 of 2 ways:

1) Isolate your search to your indexer(s) using host=your_indexer. The drawback here is that metrics are samples. By default, splunk only tracks the top 10 in each category. You can adjust this with maxseries under the metrics stanza in limits.conf.

2) Isolate your search to only the forwarders. One way to do this would be to EXCLUDE the indexers from your search: host!=your_indexer. Splunk still only tracks the top 10, but each forwarder has their own top 10, and you're more likely to get a complete(r) picture.

0 Karma
Reply

twinspop
Influencer
‎12-02-2016 07:24 AM

Also, see here for more Metrics goodness:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Aboutmetricslog

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...