Hello, dear Splunk Community.
I am trying to extract the ingest volume from our client's search head, but I noticed that I am getting different results depending on which method I am using.
For example, if a run the following query:
index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval GB=round(b/1024/1024/1024, 3) | timechart sum(GB) as Volume span=1d
I get the following table:
_time Volume
| 2024-11-25 | 240.489 |
| 2024-11-26 | 727.444 |
| 2024-11-27 | 751.526 |
| 2024-11-28 | 777.469 |
| 2024-11-29 | 727.366 |
| 2024-11-30 | 724.419 |
| 2024-12-01 | 787.632 |
| 2024-12-02 | 587.710 |
On the other hand, when I got to Apps > CMC > License usage > Ingest, and fetch the data for "last 7 days" (same as above) I get the following table:
_time GB
| 2024-11-25 | 851.012 |
| 2024-11-26 | 877.134 |
| 2024-11-27 | 872.973 |
| 2024-11-28 | 949.041 |
| 2024-11-29 | 939.627 |
| 2024-11-30 | 835.154 |
| 2024-12-01 | 955.316 |
| 2024-12-02 | 963.486 |
As you can see, there is a considerable mismatch between both results. So here's where I'm at a crossroad because I don't know which one should I trust. Based on previous topics, I notice the above query has been recommended before, even in posts from 2024.
I don't know if this is related to my user not having the appropriate capabilities or whatnot, but any insights about this issue are greatly appreciated.
Cheers, everyone.
