Monitoring Splunk

How to generate license utilization report per day and save it for historical data?

GersonGarcia
Path Finder

All,

This is another license utilization report mismatch.

I have request to generate license utilization report per day and save it for historical data.

I am using the 30 Days License Usage report as a base for my daily report:

 

 

index=_internal host=licensemaster source=*license_usage.log* type="RolloverSummary" earliest=-1d@d latest=-0d@d | bin _time span=1d | stats sum(b) as sumb last(stacksz) as laststacksz by _time component | eval sumgb=round(sumb/1024/1024/1024, 3) | eval laststackszgb=round(laststacksz/1024/1024/1024, 3)

 

 

And it is giving me the result as expected:

Screen Shot 2022-07-06 at 4.09.24 PM.png

I want to go further and try to get the license utilization per hour, so I changed the search to:

 

 

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | eval sumgb=round(sumb/1024/1024/1024, 3) | eval lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb

 

 

But the result is lower than than the daily one:

Screen Shot 2022-07-06 at 4.12.09 PM.png

967069668524 bytes is 900.656 Gb.

What am I doing wrong? I am running Splunk Enterprise 8.2.6.

Thank you,

Gerson Garcia

Labels (1)
0 Karma

GersonGarcia
Path Finder

@PickleRickand @ITWhisperer I am not rounding anything before stats, it does not make any difference if I run

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | addcoltotals sumb

The sum(b) is the same 967069668524 or 900.653

Screen Shot 2022-07-07 at 4.14.26 PM.png

 

0 Karma

GersonGarcia
Path Finder

@ITWhisperer @PickleRick The license utilization reported by License Master is 947.996

Screen Shot 2022-07-07 at 4.17.09 PM.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 You are right - it looks like Rollover Summary and Usage are inconsistent.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That might have nothing to do with the issue but don't round before summing. You'll accumulate rounding errors.

ITWhisperer
SplunkTrust
SplunkTrust

As @PickleRick says, don't round before summing - you have over a million statistics, rounding errors of 0.0001GB * 1,000,000 = 100GB - being only 47GB out is not beyond reason 😀

If you want to display as GB, try using fieldformat

index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | fieldformat sumgb=round(sumb/1024/1024/1024, 3) | fieldformat lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...