- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What is the easiest way to run a report that s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the easiest way to run a report that shows indexing / license usage per host?
What is the easiest way to run a report which shows how much indexing you are doing per host? Also.. and I know this is a hard and variable question.. how much do you typically expect from a Windows host?
I am eval'ing Splunk for a small client. I have the perimeter NGFW exporting its logs to Splunk, 1 exsi host doing syslog.. and 4 Windows servers (2 are DCs) setup with the universal forwarder to send app/system/security logs. The two DCs have AD monitoring enabled.
I hit 11gb usage by 10am. This seems on the extreme side to me but I could be wrong as I have never measured logging in this manner before. I have a GPO configured which does logging best practices (followed this pdf mostly: http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1... ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you take a look at the Distributed Management Console in the settings menu of the Web Interface. It should give you the information you need as well as more information regarding license usage in your instances.
This way you don't need to rely on a report that may not be giving you exactly what you are looking for.
As far as expected usage I recommend this great website if you want to get estimates. https://splunk-sizing.appspot.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty new at this but this is what I am using
index=_internal source=*license_usage.log* type=Usage | stats sum(eval(b/1024/1024/1024)) AS GB by h | eval GB=round(GB,2) | rename h as Host | sort GB | addcoltotals label=Total labelfield=Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this :
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
On your Splunk Instance, navigate to Settings>System>Licensing>Usage Report. This is built in to Splunk and would provide multiple slices of license usage. Hope this helps
Thanks,
Raghav
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
