Why are two different queries that return license ...

att35 · ‎01-25-2019

Hi,

I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.

Following query gave results for 10 hosts.

index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024)  | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f

Whereas the following gave data only for 7 of them.

index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz*   | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)

We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?

Thanks,

~ Abhi

chrisyounger · ‎01-26-2019

It might not be possible from the metrics log because if you have a lot of hosts/sources/sourcetypes, they will be squashed and summarised. It does this to stop the metrics log from becoming huge.

You could run a search like this instead, however it is going to be very slow:

index=whatever | eval len = len(_raw) | stats sum(len) by host

That will tell you the answer in bytes.

Why are two different queries that return license usage by host getting different results (with several hosts missing)?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!