License usage by subnet

mchandx — Mon, 30 Apr 2012 15:47:29 GMT

Hello,

I have a request that I cannot seem to figure out. What I need to do is monitor the license usage on a per subnet basis (ex. daily license usage for 192.168.*), then break it down to the host level. For example, lets say I have 5 hosts: 192.168.1.1, 192.168.2.4, 192.168.7.8, 192.168.42.12, 192.168.87.16. I need to have a search scan the entire 192.168.0.0/16 range, then break the report down to license usage per host. (Sorry, having a bit of a problem expressing my thoughts)

The twist is from that search, I need to set up an alert to report when a host goes over x% license usage.

I am not exactly sure how to do this. I have a search that reads total number of logs from all hosts, one that shows the top reporting hosts, and one that shows the total daily license usage.

Any advice is welcome.

Please do not reference this thread as this doesn't do what I want it to do.

Thanks in advance!

Re: License usage by subnet

ziegfried — Mon, 30 Apr 2012 16:39:48 GMT

index=_internal source=*license_usage.log type=Usage h=192.168.0.0/16 | stats sum(b) as bytes by h | eval usagePercent=bytes/( 50 *1024*1024*1024)*100 | where usagePercent>5

This search would output the hosts in the 192.168.0.0/16 range using more than 5 % of the 50 GB license for the selected time range. You'd have to customize this search (ie. change 50 to the actual licensed volume and set the threshold).

Also, this search assumes the host values in splunk to be IP addresses. You'd have to add reverse DNS resolution if this isn't the case.

index=_internal source=*license_usage.log type=Usage | lookup dnslookup clienthost as h OUTPUT clientip as ip | eval h=coalesce(ip,h) | search h=192.168.0.0/16 | stats sum(b) as bytes by h | eval usagePercent=bytes/( 50 *1024*1024*1024)*100 | where usagePercent>5

topic License usage by subnet in Installation

License usage by subnet

Re: License usage by subnet