I am looking for a way to create a query that will search and store license usage data per index. The idea is that I want to be able to view this visually in a dashboard (timechart). Currently, I use the following query:
earliest=-30d@d latest=@d (index=_internal source=*license_usage.log* type="Usage")
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(((len(idx) == 0) OR isnull(idx)),"(UNKNOWN)",idx)
| timechart span=1d eval(round((sum(b)/1024/1024/1024),3)) AS Volume by idx useother=f limit=0
| addtotals row=t col=f fieldname="Daily (GB)"
From my understanding, the internal index retention is 30 days. I do not want to change this, but be able to search back past 30 days for license data similar in format to the above mentioned query.
Any advice is appreciated, thanks!
