This may be 2 questions, but...
In order to measure ingestion rate we have been using "per_index_thruput"
index="_internal" source="*metrics.log" per_index_thruput starthoursago=24 | eval GB=kb/(1024*1024) | timechart span=60min sum(GB) | convert ctime(_time) as timestamp
This will report an ingestion number: Let's say it's 45GB/1hr (translates to ~1.1TB/day)
After running this for about 23hrs in one day the License usage reports around 350GB/day - NOT 1TB/day.
What may causing this difference?
Using the following search - It seems to report a number matching up with the LicenseUsage warnings:
index=_internal source=*license_usage.log* type=Usage | timechart span=1h sum(b) as bytes | eval GB = round(bytes/1024/1024/1024,5) | fields _time GB
Assumption: Even though we are using a replication factor - this should not affect the index throughput nor the licensing, right?
Since both these parameters seem to be Raw data size parameters.
Two Questions:
1) What search query is recommended to use for measuring the ingestion rate?
2) Why isn't the per_index_thruput matching up with the license usage number?
Thx,
SQL_A
↧