topic Re: license usage by tcp source query in Installation

license usage by tcp source query

kobi_biton — Wed, 19 Sep 2012 14:32:29 GMT

Hi ,

I am trying to evaluate my license daily usage (In GB) per tcp source , is there a query that I can issue to get this number ? I have 2 tcp inputs, tcp:8183 , tcp:8182

Thanks!
Kobi

Re: license usage by tcp source query

MarioM — Wed, 19 Sep 2012 16:19:53 GMT

index="_internal" source="*license_usage.log" (s="tcp:8182" OR s="tcp:8183") | rename s as source b as bytes | stats sum(bytes) as bytes by source |  eval Gbytes = bytes/1048576/1048576 | fields source Gbytes

Re: license usage by tcp source query

kobi_biton — Wed, 19 Sep 2012 16:51:51 GMT

Thanks for the reply , can I do the same for my splunk inputs ? I have 2 splunk tcp inputs (9997,9998) but they are not seem to be treated a sources is there any way to count license usage by splunk tcp input ?

Re: license usage by tcp source query

MarioM — Mon, 28 Sep 2020 12:28:21 GMT

they will not show as source as they are not source but they will as h:
index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host | stats sum(bytes) as bytes by source, source_host | eval Gbytes = bytes/1048576/1048576 | fields source source_host Gbytes

Re: license usage by tcp source query

MarioM — Wed, 19 Sep 2012 17:11:33 GMT

the deployment monitor app /en-US/app/SplunkDeploymentMonitor/license_info give you all those infos

Re: license usage by tcp source query

kobi_biton — Mon, 28 Sep 2020 12:28:23 GMT

Thanks! now I can see my source_hosts , I noticed that 90% of my usage volume comes from a NULL source and a NULL source_host is there any thing I can do to drill down and identify this source ?

Thanks
Kobi

Re: license usage by tcp source query

MarioM — Mon, 28 Sep 2020 12:28:26 GMT

there is another field named "o" as originator you can add it in your initial search and filter your search to only show the NULL source_host events:

index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host o as originator | search source_host=""

Re: license usage by tcp source query

kobi_biton — Wed, 19 Sep 2012 17:58:26 GMT

OK I see the originator is also null in my case the only clue i see is the "st" field which I assume is sourcetype? I can get some info from it , is there any particular reason why source and source_host woul report NULL ?

Re: license usage by tcp source query

MarioM — Mon, 28 Sep 2020 12:28:35 GMT

not sure about that can be empty but for forwarders you can use this search : index="_internal" source="*metrics.log" group=tcpin_connections | eval gb=kb/1024/1024 | timechart partial=f sum(gb) as GB by sourceHost

this is no usefull to measure by forwarder as some data might be discarded at indexer level

Re: license usage by tcp source query

kobi_biton — Wed, 19 Sep 2012 19:04:18 GMT

yep in my case data will be discarded on the indexer level as my setup is : ufw --> Intermediate forwarder --> splunk indexer , I guess that the query should be run against the Intermediate forwarder ?

Re: license usage by tcp source query

MarioM — Wed, 19 Sep 2012 20:01:18 GMT

normally intermediate forwarder send his metrics.log but license usage is all on the indexers

Re: license usage by tcp source query

MarioM — Fri, 21 Sep 2012 07:08:33 GMT

Kobi if you are happy with the infos provided please accept the answer for those who might have same question.Thanks