Hello all, a Splunk newbie here.
For the company that I work for we want to monitor some licenses that are being used. The logs show the user the type of license that they have. The type can be for the most part IN (not using) or OUT (using the license) and sometimes DENIED but that is not of interest currently.
Because sometimes users forget to log off we want to take this into account by looking at the data over the past 2 weeks. I count the most recent type for each user and focus if the type is OUT. Because this means that the user is using a license. This gives a count of OUT over the past 2 weeks, which is pretty accurate with what the license manager shows.
This count of OUT over the past 2 weeks is needed to be shown every 5 minutes on a (time)chart. So, is it possible to have a (time)chart that runs a count over the past 2 weeks every 5 minutes?
For the query I have: base search | dedup 1 user sortby -_time | table user type _time | search type=out
This gives me only the users that have a type OUT, which means these are the ones that are using a license. Again, I would like to count the number of OUTS these past 2 weeks and have that number calculated every 5 minutes and shown on a (time)chart. I have tried loads of stuff (from other posts) but I did not manage to get it to work.
There already is a workaround where we use an ETL tool with the Splunk API as middleware, but I thought there should be a more efficient way to do it.
If any more info is needed I (hopefully) can provide that,
Thanks in advance,
M.
So, I have been working on your proposals yesterday and today. I finally got it working. Your proposed query did not work, unfortunately. I did manage to create a report that runs every 5 minutes and calculate the count for the past 2 weeks. This is stored in the summary index and from there I create the timechart. I had some trouble with the events being stored with a timestamp of 2 weeks earlier. I managed to get that to work by adding | eval _time=now() at the end of my report search statement and that got me the correct timestamp in the summary index.
Anyway, thank you for your help, I cannot accept your post as the solution since there is also the query you proposed but the summary index was the way to go!
So, I have been working on your proposals yesterday and today. I finally got it working. Your proposed query did not work, unfortunately. I did manage to create a report that runs every 5 minutes and calculate the count for the past 2 weeks. This is stored in the summary index and from there I create the timechart. I had some trouble with the events being stored with a timestamp of 2 weeks earlier. I managed to get that to work by adding | eval _time=now() at the end of my report search statement and that got me the correct timestamp in the summary index.
Anyway, thank you for your help, I cannot accept your post as the solution since there is also the query you proposed but the summary index was the way to go!
Splunk will process a pipeline of events, usually from an index search. Do you have events every five minutes when a user is using a licence or only events when they start using the licence and sometimes when they stop using the licence?
Yes, when a user is using a license or handing it back in that is all logged and onboarded. Thanks to the dedup I get the latest status of a user. But it basically comes down to the fact to fire a count of the past two weeks every 5 minutes.
If there are no new events that just means that the status hasn't changed of the usage, which is fine.
You could set up a report that runs every 5 minutes looking back over the last 2 weeks (probably would need to convert that to minutes - 60*24*14) and store the results in a summary index, which you can then use as the basis for your timechart.
Or you could do something like this
<your index search over last 2 weeks>
| sort 0 _time
| timechart span=5m usenull=f useother=f latest(state) by user
| filldown
| foreach *
[| eval "<<FIELD>>"=if('<<FIELD>>'!="OUT",null(),'<<FIELD>>')]
| untable _time user state
| timechart span=5m count
where state is either "OUT" or something else