Security

Why are two different queries that return license usage by host getting different results (with several hosts missing)?

att35
Builder

Hi,

I am trying to determine total license usage in GB by a certain group of assets where hostname starts with "xyz". There are a total of 24 such hosts that are currently sending data in Splunk, but I tried two different searches to get license count and both reported a different number of hosts.

Following query gave results for 10 hosts.

index=_internal host=<License Master> source=*license_usage.log* type="Usage" h=xyz* | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | eval b=b/(1024*1024*1024)  | timechart span=1d sum(b) AS volumeB by h fixedrange=false useother=f

Whereas the following gave data only for 7 of them.

index=_internal source=*metrics.log group="tcpin_connections" hostname=xyz*   | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as KB by sourceHost | eval KB = round(KB)

We have just one license master and both queries above were run for a 24 Hour window. How can I get the total sum of data sent by these hosts(xyz*) in the last 24 hours?

Thanks,

~ Abhi

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

It might not be possible from the metrics log because if you have a lot of hosts/sources/sourcetypes, they will be squashed and summarised. It does this to stop the metrics log from becoming huge.

You could run a search like this instead, however it is going to be very slow:

index=whatever | eval len = len(_raw) | stats sum(len) by host

That will tell you the answer in bytes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...