- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to create a summary Index that will give licen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a summary Index that will give license usage by index and sourcetype?
Hi All,
I am trying to create a summary index which will gives us the license usage by index and sourcetype, which will be used for creating a dashboard with trends based on index and breaches per day. The process followed is
- Schedule a saved search with the below query
index=_internal type=Usage source="/opt/splunk/var/log/splunk/license_usage.log" |stats sum(b) as bytes by idx, st - Enable Summary Indexing
After that I am using below query to pull out the trend for last 24hrs
index=summary search_name=savedsearch_name |stats sum(bytes) by idx |eval GB = round(bytes/1024/1024/1024, 2)
But the above query gave me wrong results. Could you please help me to sort out the mistake? Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you (might) want to calculate trends, your summary index needs _time field and a smaller, evenly distributed summary indexing frequency. I would do something like this
Summary index search name: license_usage_5min_summary
Search:
index=_internal sourcetype=splunkd component=LicenseUsage type=Usage | bucket span=5m _time | stats sum(b) as bytes by _time idx st
Time range: -9m@m to -4m@m (allowing 4min delay to account for indexing delay
Cron Schedule : 4-59/5 * * * * (every 5 mins, starting at 4th min. Since we take a 4 min delay, your data will collected for even time blocks 0-5 mins, 5-10min etc)
You can backfill it for past period using this method: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Managesummaryindexgapsandoverlaps#Use_t...
Now use new summary index data for your trending. Since this has correct _time value it'll honor time-range as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 - it's interesting that in the admin class they try to stir us from summary indexes towards data model accelerations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is correct, but summary indexing has its own advantages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@siva_cg
You can already find the trend of license usage by index on the license master for 30 days in the usage report.
Is there any specific reason to use summary index?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
