Installation
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find license usage by indexes?

sunnyparmar
Communicator
‎02-03-2016 04:25 AM

Hi,

I have made one search for finding the license usages for indexes that is given below.

index=_internal source=*license_usage.log type=usage (idx=*) | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

Now the issue is if I pass through any index name to idx parameter, then it is giving result for the particular index, but when I am using * for enlisting all indexes, then it is giving "no result found".

Please give suggestions and help me to sort out this issue.

Thanks in advance...

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-03-2016 04:43 AM

Able to see result for both

index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

And

index=_internal source="*license_usage.log" type=usage idx="windows" | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

If the above is not working for you, can you check job inspector and see what's the final search when you replace idx=*

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-03-2016 04:43 AM

Able to see result for both

index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

And

index=_internal source="*license_usage.log" type=usage idx="windows" | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

If the above is not working for you, can you check job inspector and see what's the final search when you replace idx=*

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Julian_Gudiel_S
Explorer
‎10-05-2017 07:45 AM

Than you for the answer !

This is strange, there is a difference between the total and the DMC :

SH query : 925 GB
DMC : 909 GB

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top