Security

Why are two different queries that return license usage by host getting different results (with several hosts missing)?

att35
Builder

Hi,

I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.

Following query gave results for 10 hosts.

index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024)  | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f

Whereas the following gave data only for 7 of them.

index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz*   | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)

We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?

Thanks,

~ Abhi

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

It might not be possible from the metrics log because if you have a lot of hosts/sources/sourcetypes, they will be squashed and summarised. It does this to stop the metrics log from becoming huge.

You could run a search like this instead, however it is going to be very slow:

index=whatever | eval len = len(_raw) | stats sum(len) by host

That will tell you the answer in bytes.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...