All Apps and Add-ons

Splunk usage metrics.log vs license_usage.log vs len(_raw)

agodoy
Communicator

Hello Splunk Gurus,

I am observing some discrepancies between metrics.log, license_usage.log, and len(_raw).

I am looking at usage for 1 specific host through 1 single day.

Searches below:

License_usage.log (Calculated Usage=1 GB):

index=_internal source=*license_usage.log type=Usage h=myhost
| stats sum(b) as bytes by h 
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host

Metrics.log (Calculated Usage = 1GB):

index=_internal source=*metrics.lo* group="per_host_thruput" series=myhost
| eval MB=kb/1024 
|stats sum(MB) by series

Raw Events (Calculated Usage = 20 MB):

index=* OR index=_* host=myhost
| eval bytes=len(_raw) 
| stats sum(eval(bytes/1024/1024)) as mb, by index sourcetype

I am redirecting some events to the NULL queue. Therefore, those events would not show up the "Raw Events" search. However, what impact does the NULL queue have on metrics.log and license_usage.log? Is my assumption correct that len(raw) should somewhat approximate to the metrics on the metrics/license logs?

Thanks!

ChrisG
Splunk Employee
Splunk Employee

If you are using Splunk 6.0, use the new License Usage Report View. If you are using Splunk 5.x, install the latest version of the Splunk on Splunk app and it has the same view for your 5.x environment.

ChrisG
Splunk Employee
Splunk Employee

Are you using SoS 3.1.0? Just want to make sure you are using the latest version. If it still doesn't give you the reporting you need, please provide the details and I will make sure the developers of the app see this posting.

agodoy
Communicator

I have SoS installed. It just does not give me the granularity that I need. Thanks!

0 Karma

lukejadamec
Super Champion

Well, the first two searches will be your best measure of license usage.

The third search uses the len command which return the length of the string, which is not a direct measure of bytes. Calling it bytes does not make it bytes. Also, it includes data from the internal index, which does not count against the license.

Your last question about nullQueue - items sent to nullQueue are dropped prior to indexing, so they do not count against the index volume.

0 Karma

lukejadamec
Super Champion

That is a good question. Does it matter if it is a 32 or 64 bit system? Or am I thinking too much?

Try it Without including the internal indexes - they are not counted against your license.

0 Karma

agodoy
Communicator

Thank you! If the len command returns the character length of a string X and 1 character is 1 byte. Why would it not makes sense to call it bytes?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...