topic Re: How do I search the license usage by sourcetype for a particular app? in Splunk Search

How do I search the license usage by sourcetype for a particular app?

sunnyparmar — Tue, 02 Feb 2016 09:41:55 GMT

Hi,

I have one app which doesn't have indexes in it. The dashboards under it are running via either source, sourcetype, and host. Now I have to find the license usage for that app by all the given modes i.e. source, sourcetype, and host. I have searched for all these three parameters, but when I am executing the search, it is showing all sources, sourcetypes, and hosts for all the apps in the result. Now the problem is I don't know which sources, sourcetypes, and hosts belong to that particular app out of all those, so how can I separate these three instances for that particular app from that results? Any suggestions would be appreciated.

Thanks

Re: How do I search the license usage by sourcetype for a particular app?

javiergn — Tue, 02 Feb 2016 10:02:00 GMT

The following query will give you the list of sourcetypes per app:

 | rest /services/saved/sourcetypes
 | fields title, "eai:acl.app"
 | rename title AS sourcetype, "eai:acl.app" AS app_name

If you then join that by sourcetype with your license query you should be able to list what you want.

Something like this for instance:

index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | eval sourcetypename = st
 | bin _time span=1d 
 | stats sum(b) as b by _time, pool, indexname, sourcetypename
 | eval GB=round(b/1024/1024/1024, 3)
 | fields _time, indexname, sourcetypename, GB
 | join sourcetypename [
     | rest /services/saved/sourcetypes
     | fields title, "eai:acl.app"
     | rename title AS sourcetypename, "eai:acl.app" AS app_name
]

Thanks,
J

Re: How do I search the license usage by sourcetype for a particular app?

sunnyparmar — Tue, 02 Feb 2016 11:56:12 GMT

thanks J.. solved my issue..

Re: How do I search the license usage by sourcetype for a particular app?

hsesterhenn_spl — Mon, 09 Jan 2017 14:36:07 GMT

Hi,
just to make sure I understand this search ('cause I have to solve a similar question...).

The join returns a list of sourcetypes and the app where this sourcetype is defined/saved....

The first part of the search will break down the indexed volume by index and sourcetype.

To my mind the question is only answered correctly if a sourcetype is only used in one specific app...

If you use a generic sourcetype like access_combined... you'll see only "system" as "app"... because this sourcetype is simply defined in "system"...

I am of the opinion that the question can only be answered if you define a custom sourcetype in your app and define inputs using this sourcetype only in this specific app (or an other single app because you might have a TA defining a sourcetype and a single app to provide dashboards/searches for this sourcetype).

Please feel free to correct me if I am wrong.
It might be possible that I did not get the whole idea 🙂

Greetings,

Holger