@rohit31dec91,

I would use the license_usage.log to determine your charge back. Here is my approach.

# base search

#h is the value used for host and s is used for source.

index=_internal source="*license_usage.lo*" type=Usage |  bucket _time span=10m | stats sum(b) as bytes by _time h, s | eval mb=bytes/1048576 |rename h as host, s as source|

# using the search command to search returned results  and time charting  by day

<BASE_SEARCH> | search host=foo OR host=bar OR host=span | timechart minspan=1d  sum(mb) as Mbytes by host

if you look at the raw event fromm index=_internal source="*license_usage.lo*" type=Usage the other values that you could to charge back by are index, pool, and sourcetype.

st = sourcetype
idx=index
b=bytes
s=source.

Of course this also assume that you are forwarding your licensing masters logs to your indexers. Other wise you will need to run this directly on the licensing master.

Hope this give you some ideas.

Cheers,

paging bwooden

Hi rohit31dec91,

one way to do it, would be based on the license usage. For example take this report on the license usage per index:

index=_internal source=*metrics.log per_index_thruput | timechart sum(kb) by series

this will report usage per index, which then can be used in some charge-back process.

Another way would be to setup license pools, let's say you have 10Gb license and you split off one pool of 1Gb. In the end you don't care how much they need for real, the pool has a size of 1Gb so you 'charge' them a tenth of your license cost....

hope that helps to get you started ...

cheers, MuS