Hi SMEs,
Hope you are doing great, i am curious to know how to check the daily data consumption (GB/Day) from a specific Heavy Forwarder using Splunk search when there are multiple HFs are there in the deployment. thanks in advance
Thanks for the valueable query, few points here
1- I am unable to locate my HF under h field (search from IP as well as hostname)
2- How can i put restriction on day basis, like to create bar chart having license consumption during the week
3- I have another way to look into it as i mainly would like to calculate data ingestion where index name having common starting name like index="test*" and i found a field which is idx to query the same. However how to add all the data and show it in graph
4- Also i think this is license in GB , | eval licenseGB =round(license/1024/1024/1024,3). Why did you rename it to TB?
Hi @pm2012
you can use following query
index=_internal source="*license_usage.log" type=Usage h="<forwader name>"
| rename _time as Date
| eval Date=strftime(Date,"%b-%y")
| stats sum(b) as license by Date h
| eval licenseGB =round(license/1024/1024/1024,3)
| rename licenseGB as TB
Don't you mean
| rename licenseGB as GB