Why are two different queries that return license usage by host getting different results (with several hosts missing)?



I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.

Following query gave results for 10 hosts.

index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024)  | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f

Whereas the following gave data only for 7 of them.

index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz*   | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)

We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?


~ Abhi

0 Karma


It might not be possible from the metrics log because if you have a lot of hosts/sources/sourcetypes, they will be squashed and summarised. It does this to stop the metrics log from becoming huge.

You could run a search like this instead, however it is going to be very slow:

index=whatever | eval len = len(_raw) | stats sum(len) by host

That will tell you the answer in bytes.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...