Re: Why are my search results for daily indexed da...

athorat · ‎06-18-2015

I have to calculate the amount of data to be indexed on a daily basis in a custom dashboard.
I was using the following search:

index=_internal source=*metrics.log    per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB)

and now when I see the Splunk Deployment Monitor app (License Report>>Daily Volume by Week for Last 4 weeks), the indexed data is half the amount of what I am getting from this search.
I need to understand the correct amount of indexed data, so is my search not pulling the correct data or the Deployment Monitor not reflecting the right amount of data?

lguinn2 · ‎06-18-2015

There is a really nice answer to this question here:

Why an _internal index search on per_index_thruput...

The bottom line, you should be looking at the license_usage.log on your license master.

athorat · ‎06-18-2015

When I use license_usage.log I get half the amount of volume count but when I use source="*metrics.log"
I get the twice the amount of volume compared to that of license_usage.log

When I use

 index="_internal" source=*license_usage.log* type=Usage  | eval b=b/(1024*1024) |timechart span=d sum(b)

I get 49 GB for a specific Day
AND
When i use

 index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |timechart span=d sum(GB)

I get 98GB for that same day.

So as I understand metrics.log will only return top 10 values every second and will not give precise data?
But seems to be otherwise.

Why are my search results for daily indexed data different from the the License Report > Daily Volume in the Deployment Monitor app?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...