Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is indexing volume not matching license usage?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
leonards1
Explorer
10-26-2016
05:44 AM
Following some runaway license violations, I am looking to find the offending host but in running the queries that I have, I am finding that the total "host usage" is far more than the "license usage".
I am using the following to show the usage per host:
index="_internal" source="*metrics.log" group="per_host_thruput" | eval mb = (round(kb,0)/1024) |chart sum(mb) by series | sort - sum(mb)
I am using the following to find the usage against the license:
index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool
Is this correct? Is this related to this post? -- https://answers.splunk.com/answers/2886/indexing-volume-vs-data-size-received.html?utm_source=typeah...
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
masonmorales
Influencer
10-26-2016
11:53 AM
type=RolloverSummary will only show the top 10 indexes. To see the total by host you can do something like:
index="_internal" source=*license_usage.log type=Usage | eval KB=round(b/1024) | eval MB=round(KB/1024,2) | eval GB=round(MB/1024,2) | eval TB=round(GB/1024,2) | stats sum(MB) as Total by h
Or by pool and day:
index=_internal source=*license_usage* type=Usage | bucket _time span=1d | eval MB_vol=b/1024/1024 | stats (MB_vol) by pool _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
masonmorales
Influencer
10-26-2016
11:53 AM
type=RolloverSummary will only show the top 10 indexes. To see the total by host you can do something like:
index="_internal" source=*license_usage.log type=Usage | eval KB=round(b/1024) | eval MB=round(KB/1024,2) | eval GB=round(MB/1024,2) | eval TB=round(GB/1024,2) | stats sum(MB) as Total by h
Or by pool and day:
index=_internal source=*license_usage* type=Usage | bucket _time span=1d | eval MB_vol=b/1024/1024 | stats (MB_vol) by pool _time
Register for .conf21 Now!
Go Vegas or Go Virtual!
How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.
Learn More or Register Now >
