Hi duanehare,

run this search, which is basically the same from the license usage report but with added useother=f usenull=f so you no longer have the OTHER group in the time chart:

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | join _time pool type=outer [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS stacksz by slave, pool, _time | stats max(stacksz) AS stacksz by _time, pool] | stats sum(b) AS bytes_used max(stacksz) AS stacksz by h, _time | timechart span=1d max(eval(round(bytes_used/stacksz*100,2))) by h fixedrange=false useother=f usenull=f

Hope this helps ...

cheers, MuS

I ran this query and it returned 0 events. Suggestions?

do you have access to index=_internal ? run this search:

 index=_internal host=indexer source=*license_usage.log type="Usage"

The above search is the one from the License Usage Report, just added the useother=f usenull=f options....

ahh just found the error 🙂 remove host=indexer from the search !

Just updated the answer and the search

Hi ,

Please try the below one,

index=internal source=*licenseusage.log type=Usage
| stats sum(b) as bytes by h
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host