Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there a bogus ingest volume displaying in CMC?

dionrivera
Communicator
‎07-17-2022 12:13 PM

In the Overview tab, it shows 25TB of total ingest volume. This is incorrect, we should be at ~4TB. This is important for our licensing and storage levels.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dionrivera
Communicator
‎07-21-2022 09:17 AM

@Roy_9  As it turns out, the upgrade to CMC changed the timeframe it looks back to 7 days instead of 1 day which explains why my numbers were multiplied. I reached out to Splunk and they are working on changing the default timeframe to 1 day. Which makes sense because this is what teams use to gauge their daily ingest rate which goes against their licensing costs.

To answer your question, I'm on cloud. Thank you for your suggestion. You are appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Roy_9
Motivator
‎07-17-2022 06:40 PM

Hello @dionrivera 
Can you validate the license volume using the below search and see if there is a difference.use the below search:
index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval MB=round(volume/1024/1024,5)
| timechart span=1w avg(MB) by idx

Are you on Splunk Cloud or Enterprise by the way?


Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

dionrivera
Communicator
‎07-21-2022 09:17 AM

@Roy_9  As it turns out, the upgrade to CMC changed the timeframe it looks back to 7 days instead of 1 day which explains why my numbers were multiplied. I reached out to Splunk and they are working on changing the default timeframe to 1 day. Which makes sense because this is what teams use to gauge their daily ingest rate which goes against their licensing costs.

To answer your question, I'm on cloud. Thank you for your suggestion. You are appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...