I have ran some query for Data coming through all of the forwarders and matched it with actual daily license utilization.
some of the queries are,
1. index=_internal group=* group=per_host_thruput | bucket _time span=1d|bin _time |eval time=strftime(_time,"%m/%d/%y") | eval kb=(kb/1024/1024) | stats sum(kb) as SUM by time series | xyseries series time SUM |sort -SUM
2. index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Its weird that results the search are showing is far greater than the actual utilzation, ran it for today accounting all forwarders & the sum shows almost 500Gigs of data where as license utilization is 280+Gigs only.
Is it something wrong with the search or am i missing out something?
↧