Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there a bogus ingest volume displaying in CMC?

dionrivera
Communicator
‎07-17-2022 12:13 PM

In the Overview tab, it shows 25TB of total ingest volume. This is incorrect, we should be at ~4TB. This is important for our licensing and storage levels.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dionrivera
Communicator
‎07-21-2022 09:17 AM

@Roy_9  As it turns out, the upgrade to CMC changed the timeframe it looks back to 7 days instead of 1 day which explains why my numbers were multiplied. I reached out to Splunk and they are working on changing the default timeframe to 1 day. Which makes sense because this is what teams use to gauge their daily ingest rate which goes against their licensing costs.

To answer your question, I'm on cloud. Thank you for your suggestion. You are appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Roy_9
Motivator
‎07-17-2022 06:40 PM

Hello @dionrivera 
Can you validate the license volume using the below search and see if there is a difference.use the below search:
index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval MB=round(volume/1024/1024,5)
| timechart span=1w avg(MB) by idx

Are you on Splunk Cloud or Enterprise by the way?


Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

dionrivera
Communicator
‎07-21-2022 09:17 AM

@Roy_9  As it turns out, the upgrade to CMC changed the timeframe it looks back to 7 days instead of 1 day which explains why my numbers were multiplied. I reached out to Splunk and they are working on changing the default timeframe to 1 day. Which makes sense because this is what teams use to gauge their daily ingest rate which goes against their licensing costs.

To answer your question, I'm on cloud. Thank you for your suggestion. You are appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...