Getting Data In

License usage for one index broken down by sourcetype

ddrillic
Ultra Champion

How can I get a license usage for one index broken down by sourcetype? I know this question came up recently in different manifestations ; -) sorry.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=YourIndexHere
| stats sum(b) as usage by idx st | eval usage_MB=round(usage/1024/1024,3)
| rename idx and index st as sourcetype

View solution in original post

DalJeanis
Legend

Start here -

index=_internal source=*license_usage.log* Usage 
| eval s=coalesce(s,"unknown"), eval st=coalesce(st,"unknown") 
|  stats sum(b) as bytes by idx s st

micahkemp
Champion
index=_internal source="*/license_usage.log" component=LicenseUsage idx=<your index>
| timechart sum(b) AS b BY st

In the license usage events idx is the index and st is the sourcetype that the licensing metrics are detailing.

somesoni2
Revered Legend

Try this

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=YourIndexHere
| stats sum(b) as usage by idx st | eval usage_MB=round(usage/1024/1024,3)
| rename idx and index st as sourcetype

elliotproebstel
Champion

If you find yourself needing to break out license usage statistics often, you might find it helpful to check out the License Usage app, which includes queries for license usage by index/sourcetype/etc.

https://splunkbase.splunk.com/app/174/#/overview

But in particular, this question had a good answer that breaks out license usage by indexname and sourcetype:
https://answers.splunk.com/answers/417031/license-usage-by-source-type.html

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...