Archive

I need to produce a license report by index that includes retention period

New Member

I need to build a monthly report that shows average daily usage for charge-back purposes. I have sorted out how to give them everything they are asking for except for the data retention. They want me to include a column in the report that shows what indexes are 30, 93, 180 or 365 days of retention.

How would I go about adding that information?

This is my search so far:

earliest=-30d@d latest=@d index=internal source=license_usage.log type=Usage idx="" |
eval date=strftime(_time, "%Y%m%d") |
stats sum(b) as sum by idx, date |
eval GB = sum/1024/1024/1024 |
chart avg(GB) as "Average Daily - GB", max(GB) as "Monthly Peak - GB" by idx |
rex field=idx "^.
?
(?\d+)_(?\d+)$"

0 Karma

Ultra Champion

Add the following to your current search:

join type=left idx [
| rest /services/data/indexes 
| rename title as idx 
| eval retention_period = frozenTimePeriodInSecs / (3600*24) 
| table idx,retention_period
]
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!