I'm trying to understand how Splunk calculates license. There is particular index "snort" which receives some JSON input and laucher reports this index has increased significantly. If I do this query
index=_internal source=*license_usage.log type=Usage idx=snort
| stats sum(b) as bytes
| eval MB = round(bytes/1024/1024,1)
| fields MB
it reports me 9GB for a given period. If I estimate length of each event and sum these values in such a way
index=snort
| eval len_raw = len(_raw)
| stats sum(len_raw) as bytes
| eval MB = round(bytes/1024/1024,1)
| fields MB
it gives me 18MB. I.e, there is about 500 times difference. I understand there may be issues due to encoding (ASCII vs UTF8), yet it would make 2 times difference, not 500. There are other sources which allow me to estimate the size and number of events from these sources and it seems 18MB should be the right number. Any ideas why numbers reported in _internal log are so much different?
↧