Solved: License usage for one index broken down by sourcet...

ddrillic · ‎11-21-2017

How can I get a license usage for one index broken down by sourcetype? I know this question came up recently in different manifestations ; -) sorry.

somesoni2 · ‎11-21-2017

Try this

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=YourIndexHere
| stats sum(b) as usage by idx st | eval usage_MB=round(usage/1024/1024,3)
| rename idx and index st as sourcetype

View solution in original post

DalJeanis · ‎11-21-2017

Start here -

index=_internal source=*license_usage.log* Usage 
| eval s=coalesce(s,"unknown"), eval st=coalesce(st,"unknown") 
|  stats sum(b) as bytes by idx s st

micahkemp · ‎11-21-2017

index=_internal source="*/license_usage.log" component=LicenseUsage idx=<your index>
| timechart sum(b) AS b BY st

In the license usage events idx is the index and st is the sourcetype that the licensing metrics are detailing.

somesoni2 · ‎11-21-2017

Try this

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=YourIndexHere
| stats sum(b) as usage by idx st | eval usage_MB=round(usage/1024/1024,3)
| rename idx and index st as sourcetype

elliotproebstel · ‎11-21-2017

If you find yourself needing to break out license usage statistics often, you might find it helpful to check out the License Usage app, which includes queries for license usage by index/sourcetype/etc.

https://splunkbase.splunk.com/app/174/#/overview

But in particular, this question had a good answer that breaks out license usage by indexname and sourcetype:
https://answers.splunk.com/answers/417031/license-usage-by-source-type.html

License usage for one index broken down by sourcetype

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...