How to get licensing of indexes per indexing serve...

MikeBertelsen · ‎03-21-2018

I have two reports that I would like to combine so that for a specific group of indexers I can get the list of indexes and how much licensing is impacted by indexer and licensing impact for each of the indexes on that indexer.
This first one gives me licensing impact by indexer where the indexer is as a whole is at least one gig of licensing:

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d pool=* 
| eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time 
| eval gb = round(b/1024/1024/1024,2)  
| join type=left slave        [
     | rest count=0 /services/licenser/slaves        
     | rename label as slave_name       
     | rename title as slave        
     | table slave_name slave]  
| search gb!=0  | timechart span=1d sum(gb) AS "volume" fixedrange=false by slave_name

This next one gives me a list of indexes and what the impact to licensing is:

index=_internal source=*license_usage.log type=Usage |  eval totalMB = b/1024/1024  | eval totalGB = totalMB /1024 | rename idx as index | timechart span=1d limit=20 sum(totalGB) by index

How to get licensing of indexes per indexing server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation