topic Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information in Splunk Search

Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information

anandhalagaras1 — Fri, 07 Jun 2024 10:08:53 GMT

Hi Team,

There is a requirement to get the license usage split in GB on daily basis for the top 20 log sources along with the host, index and sourcetype details.

So kindly help with the query.

Re: Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information

gcusello — Fri, 07 Jun 2024 11:55:24 GMT

Hi @anandhalagaras1 ,

if you see in the Monitoring Console App [Settings > Monitoring Console > Indexing > icense Usage > Historic License Usage] or in License Concuption Report [Settings > Licensing > Usage Report> Previous 60 days > Split by ...] youcan find the searches you need.

Ciao.

Giuseppe

Re: Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information

anandhalagaras1 — Fri, 07 Jun 2024 12:35:33 GMT

@gcusello

We are using Splunk Cloud version 9.1.2308.203. Following your instructions, I navigated to Cloud Monitoring Console --> License Usage and found the following options in the Cloud Monitoring Console App:
- Entitlement
- Ingest
- Workload
- Storage Summary
- Searchable Storage (DDAS)
- Archive Storage (DDAA)
- Federated Search for Amazon S3

Our Cloud Monitoring Console app is version 3.25.0. Please let me know how to pull the top 20 or top 50 sources with the index and sourcetype information.

Re: Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information

gcusello — Fri, 07 Jun 2024 12:52:55 GMT

Hi @anandhalagaras1 ,

you should take the searches in Workload and adapt them to your requirements.

Ciao.

Giuseppe

Re: Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information

anandhalagaras1 — Mon, 10 Jun 2024 10:29:06 GMT

@gcusello When i navigate to the Cloud Monitoring Console-->License Usage-->Workload.

I can see Indexing Process-->Peak SVC usage per hour split by indexing source. So when i navigate to the query in another search window. I can see the query as below:

index=summary source="splunk-ingestion" [`sim_get_local_stack` | eval host="*.".stack.".*splunk*" | fields host] | dedup keepempty=t _time idx st | stats sum(ingestion_gb) as ingestion_gb by _time idx | eventstats sum(ingestion_gb) as total_gb by _time | eval pct=ingestion_gb/total_gb | bin _time span=1h | join _time [ search index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | fillnull value="" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source | eval unified_sid=if(unified_sid="",usage_source,unified_sid) | stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type | timechart span=1h sum(utilized_svc) as svc_usage ] | eval svc_usage=svc_usage*pct | timechart useother=false span=1h sum(svc_usage) by idx

I need to generate three separate reports, each identifying the top 10 items based on license usage in GB over the last 30 days. Specifically, I want to pull the following information:

1. The top 10 indexes (excluding internal indexes).
2. The top 10 sourcetypes (excluding internal index sourcetypes).
3. The top 10 sources.

These reports need to be scheduled to run every month. Could you please provide the queries for these three requirements?