Splunk Search

Count Sourcetype by Day

laberthelemy
Engager

In 6.4.2 version,
when i try to count the integrated volume by sourcetype last day for example with this search :

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
 | stats sum(b) AS Bytes by st | eval GB = (Bytes/1024/10241024/) | sort -GB

The volume seems to be wrong.

Sourcetype --------Bytes ---------------------GB
opsec---------4693489783100---------- 4371.152989
f5:hsl----------4472278291965---------- 4165.133733

The real volume is near 43 Go but not 4371 Go

In version 6.3.2, the results were correct.

Have you one explanation please ?

Tags (1)
0 Karma

laberthelemy
Engager

With this search, the result shows a daily licence usage and unfortunately it does not split usage by sourcetype.
But the result shows also a problem of conversion Bytes to Go
Whe have a licence of 300 Go and the total is around of 21012 Go

_time -------------------------------------Total GB used

2016-07-28 ---------------------------------21012.868955

In 6.4.2, may be, the search has to be adapted

Thanks for your Help

0 Karma

inventsekar
Ultra Champion

Check this one.. from a similar issue post -
The only reliable source for license usage is the $SPLUNK_HOME/var/log/splunk/license_usage.log file on your license master instance, and unfortunately it does not split usage by index.

There is, however, a sampled record of kilobytes indexed for the top 10 most active indexes every 30s in metrics.log. Of course if you have less than 10 active indexes, this is not an issue.

So, for a report showing daily license usage over the past 1 day, you would run:

index=_internal source=*license_usage.log type=RolloverSummary earliest=-1d

|eval GB = b/1024/1024/1024 | eval _time = _time - 43200

| timechart span=1d sum(GB) AS "Total GB used"

For a report showing estimated daily volume indexed (whether it counted against your license quota or not) over the past 7 days, you would run:

index=_internal (host=indexer1 OR host=indexer2 OR host=license_master) source=*metrics.log group=per_index_thruput earliest=-7d
| timechart span=1d sum(eval(kb/1024)) AS "MB indexed" by series

0 Karma

Raghav2384
Motivator

Hello,

The search you posted, is that what you are running exactly or did you just type it?Reason i ask, I see a typo in there
Highlighted in Bold.

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
  | stats sum(b) AS Bytes by st | eval GB = (**Bytes/1024/10241024/**) | sort -GB

As far as the Bytes to GB calculation, that is absolutely right. I used my 6.4 splunk as well as a calculator and 4693489783100 Bytes is 4371.152989GB

I just ran the search on my LURV by sourcetype and GB calculation is correct. I suspect the Bytes value. It's almost like something is forcing the timerange to be much higher than the -1d@d ,@d . Again, mine is 6.4 and not 6.4.2.May be 6.4.2 has a bug to report the Bytes value some extra. Try not putting the earliest and latest in the search, instead use the Time picker and see if it changes (Guess).

Hope this helps!

Thanks,
Raghav

0 Karma

laberthelemy
Engager

Hello,
I tried not putting the earliest and latest in the search but using Time picker. The result is the same .
When I use Deployment Monitor /All Sourcetypes , the result is the same.
May be , as you say, the 6.4.2 has a bug to report the Bytes.

Thanks for your Help
laberthelemy

0 Karma

inventsekar
Ultra Champion

4693489783100 bytes is 4693.4897831 GB.
so, something wrong with "Bytes" calculation only. (earliest=-1d@d latest=@d index=_internal source=license_usage.log type=Usage | stats sum(b) AS Bytes by st)

0 Karma

axl88
Communicator

When I google byte to GB and enter information you have in your question,
4693489783100 bytes is equal to 4693.4897831 gb
Do you think that first number is calculated wrong? in 6.32, does it give you 46934897831 in bytes?

0 Karma

laberthelemy
Engager

In 6.3.2, the calcul was right. Now, in 6.4.2, the result is not the reality. Something has been changed . The search, certainly, has to be changed

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...