I'm looking to make some metrics dashboards off of the license_usage log, similar to the way the Deployment Monitor works.
However, looking at index=_internal source=*license_usage.log on the license master, there are a lot of entries with h="" s="" (original host and source fields blank).
What is going on here? (License master = 4.2.4, indexers/search heads = 4.3.1)
An indexer will send a periodic breakdown of data indexed, split by s= h= st= by default. However, if the number of unique s,st,h tuples grows too large (1000 by default), we squash the s/h keys to avoid explosion in memory/processing overhead of the table.
NOTE: we introduced a tunable by setting, squash_threshold in server.conf in 4.3.1 where you can increase the threshold. It can be set in server.conf of indexers under the license stanza.
An indexer will send a periodic breakdown of data indexed, split by s= h= st= by default. However, if the number of unique s,st,h tuples grows too large (1000 by default), we squash the s/h keys to avoid explosion in memory/processing overhead of the table.
NOTE: we introduced a tunable by setting, squash_threshold in server.conf in 4.3.1 where you can increase the threshold. It can be set in server.conf of indexers under the license stanza.
Agree that it would be nice to have the ability to tune which fields are squashed (s or h or both) along with the numeric limit. At 6.3.3, it only appears that adjusting the squash_threshold is an option.
