Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate license utilization report per day and save it for historical data?

GersonGarcia
Path Finder
‎07-06-2022 02:15 PM

All,

This is another license utilization report mismatch.

I have request to generate license utilization report per day and save it for historical data.

I am using the 30 Days License Usage report as a base for my daily report:

 

 

index=_internal host=licensemaster source=*license_usage.log* type="RolloverSummary" earliest=-1d@d latest=-0d@d | bin _time span=1d | stats sum(b) as sumb last(stacksz) as laststacksz by _time component | eval sumgb=round(sumb/1024/1024/1024, 3) | eval laststackszgb=round(laststacksz/1024/1024/1024, 3)

 

 

And it is giving me the result as expected:

Screen Shot 2022-07-06 at 4.09.24 PM.png

I want to go further and try to get the license utilization per hour, so I changed the search to:

 

 

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | eval sumgb=round(sumb/1024/1024/1024, 3) | eval lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb

 

 

But the result is lower than than the daily one:

Screen Shot 2022-07-06 at 4.12.09 PM.png

967069668524 bytes is 900.656 Gb.

What am I doing wrong? I am running Splunk Enterprise 8.2.6.

Thank you,

Gerson Garcia

Labels (1)
Labels
0 Karma
Reply

GersonGarcia
Path Finder
‎07-07-2022 02:16 PM

@PickleRickand @ITWhisperer I am not rounding anything before stats, it does not make any difference if I run

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | addcoltotals sumb

The sum(b) is the same 967069668524 or 900.653

Screen Shot 2022-07-07 at 4.14.26 PM.png

 

0 Karma
Reply

GersonGarcia
Path Finder
‎07-07-2022 02:19 PM

@ITWhisperer @PickleRick The license utilization reported by License Master is 947.996

Screen Shot 2022-07-07 at 4.17.09 PM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 10:00 PM

 You are right - it looks like Rollover Summary and Usage are inconsistent.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2022 11:27 PM

That might have nothing to do with the issue but don't round before summing. You'll accumulate rounding errors.

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2022 11:51 PM

As @PickleRick says, don't round before summing - you have over a million statistics, rounding errors of 0.0001GB * 1,000,000 = 100GB - being only 47GB out is not beyond reason 😀

If you want to display as GB, try using fieldformat

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | fieldformat sumgb=round(sumb/1024/1024/1024, 3) | fieldformat lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...