Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate license utilization report per day and save it for historical data?

GersonGarcia
Path Finder
‎07-06-2022 02:15 PM

All,

This is another license utilization report mismatch.

I have request to generate license utilization report per day and save it for historical data.

I am using the 30 Days License Usage report as a base for my daily report:

 

 

index=_internal host=licensemaster source=*license_usage.log* type="RolloverSummary" earliest=-1d@d latest=-0d@d | bin _time span=1d | stats sum(b) as sumb last(stacksz) as laststacksz by _time component | eval sumgb=round(sumb/1024/1024/1024, 3) | eval laststackszgb=round(laststacksz/1024/1024/1024, 3)

 

 

And it is giving me the result as expected:

Screen Shot 2022-07-06 at 4.09.24 PM.png

I want to go further and try to get the license utilization per hour, so I changed the search to:

 

 

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | eval sumgb=round(sumb/1024/1024/1024, 3) | eval lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb

 

 

But the result is lower than than the daily one:

Screen Shot 2022-07-06 at 4.12.09 PM.png

967069668524 bytes is 900.656 Gb.

What am I doing wrong? I am running Splunk Enterprise 8.2.6.

Thank you,

Gerson Garcia

Labels (1)
Labels
0 Karma
Reply

GersonGarcia
Path Finder
‎07-07-2022 02:16 PM

@PickleRickand @ITWhisperer I am not rounding anything before stats, it does not make any difference if I run

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | addcoltotals sumb

The sum(b) is the same 967069668524 or 900.653

Screen Shot 2022-07-07 at 4.14.26 PM.png

 

0 Karma
Reply

GersonGarcia
Path Finder
‎07-07-2022 02:19 PM

@ITWhisperer @PickleRick The license utilization reported by License Master is 947.996

Screen Shot 2022-07-07 at 4.17.09 PM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 10:00 PM

 You are right - it looks like Rollover Summary and Usage are inconsistent.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2022 11:27 PM

That might have nothing to do with the issue but don't round before summing. You'll accumulate rounding errors.

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2022 11:51 PM

As @PickleRick says, don't round before summing - you have over a million statistics, rounding errors of 0.0001GB * 1,000,000 = 100GB - being only 47GB out is not beyond reason 😀

If you want to display as GB, try using fieldformat

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | fieldformat sumgb=round(sumb/1024/1024/1024, 3) | fieldformat lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...