Installation

How to search License Usage by Host to Dashboard?

anandhalagaras1
Path Finder

Hi Team,

I want to pull the license usage stats particularly for 4 to 5 hosts for the last 30 days with a time span of 1 day in GB and bring it in a dashboard so kindly help out with the query.

 

host information

host 1 = xyz

host 2 = abc

host 3 = def

host 4 = ghi

host= vbg

 

Labels (2)
0 Karma

gcusello
Legend

Hi @anandhalagaras1,

you can use the search that you can find at [Settings -- Licensing -- Usage Reports -- Previous 60 days -- Split by host].

If you want to add the additional filter to limit results to the 5 hosts you want to monitor, you can add the additioal condition "| search h IN (abc, def, gih, xyz, vbg)" something like this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx
| search h IN (abc, def, gih, xyz, vbg)
| timechart span=1d sum(b) AS volumeB by h fixedrange=false  
| join type=outer _time [ search 
   index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
   | eval _time=_time - 43200 
   | bin _time span=1d 
   | dedup _time stack 
   | stats sum(stacksz) AS "stack size" by _time ] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

 

0 Karma

anandhalagaras1
Path Finder

@gcusello ,

 

Thanks for your inputs.

 

I have provided the exact host information as mentioned in the query but there no results at all. 

search h IN (abc, def, gih, xyz, vbg) so kindly help on the same.

 

 

0 Karma

gcusello
Legend

Hi @anandhalagaras1,

run the search without the additional filter and see if the hosts you want to monitor are present in results, then add the additional condition.

Ciao.

Giuseppe

0 Karma

anandhalagaras1
Path Finder

@gcusello 

 

I have removed the additional filter ( | search h IN (abc, def, gih, xyz, vbg) ) from the query and tried to search but still there were no results. So kindly let me know were I went wrong.

This is the query i tried:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by h fixedrange=false
| join type=outer _time [ search
index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time ]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

 

 

So hence I have navigated to the Cloud Monitoring Console-->License-->Ingest and have choosen the the Split by Host and here it provides the top 10 conusmers for last 30 days. And the query is like this below:

 

`sim_licensing_usage_base`
| `sim_licensing_usage_all("h")`
| append
[| search (index=summary source="splunk-ingestion" earliest=-30d@d)
| bin _time span=1d
| stats max(ingest_license) as license by _time]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume

But I want to find the license usage for few hosts alone for last 30 days. 

0 Karma

gcusello
Legend

Hi @anandhalagaras1,

sorry, I didn't understand that you're using Splunk Cloud, anyway, go in the Cloud Monitoring Console to [Liense Usage -- Ingest -- Split by host] and you have the starting point search to modify adding the additional filter.

In other words:

(index=_internal host=*.*splunk*.* NOT host=sh*.*splunk*.* source=*license_usage.log* type="Usage") 
| eval h=if(((len(h) == 0) OR isnull(h)),"(SQUASHED)",h) 
| eval s=if(((len(s) == 0) OR isnull(s)),"(SQUASHED)",s) 
| eval idx=if(((len(idx) == 0) OR isnull(idx)),"(UNKNOWN)",idx) 
| search h IN (abc, def, gih, xyz, vbg) 
| timechart span=1d eval(round((sum(b)/pow(2,30)),3)) AS Volume by h 
| append [ | search 
   (index=summary source="splunk-ingestion" earliest=-30d@d) 
   | bin _time span=1d 
   | stats max(ingest_license) as license by _time
   ] 
| stats values(*) as * by _time 
| rename license as "license limit" 
| fields - volume

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...