Monitoring Splunk

License usage stats in monitoring console seem very off

Robbie1194
Communicator

Hi guys,

So I've noticed that when we go into the monitoring console and view the license usage over the previous 30 days, it works fine as is. However, if I change it to split by index/sourcetype/etc, the figures change drastically and are no where near correct.

For example, say our daily license is 300gb, it says that ONE of our indexes used 570gb that day, not to mention our other 8 or so indexes.

We have a search head cluster that can run this search:

index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
| fields - "stack size"
| addtotals

and get the correct figures for license usage by index/sourcetype/etc. But the monitoring console's figures don't match when using this search.

I think our license master sends it's internal logs to our indexers so I don't understand why the mc can't query it but the shc can? Anyone got any ideas? I'm not too clued up on how all the license usage stuff works so if anyone has a better understanding, some explanations would be appreciated!

Cheers!

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

I have actually noticed issues with that myself and created an app for license monitoring because of it (https://splunkbase.splunk.com/app/3576/). I reverse engineered the Monitoring Console's searches and that base component of the search is like the one you posted. From what I've seen in the Monitoring Console, it appears to double each value when in it split. This makes it seem that the data is getting returned twice. It sounds like your setup is similar to mine where the internal logs get sent to the indexers. My guess is running the search on the License Master accesses the internal logs locally, as well as from the indexers and returns the same data twice.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...