- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- How to search License Usage by Host to Dashboard?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search License Usage by Host to Dashboard?
Hi Team,
I want to pull the license usage stats particularly for 4 to 5 hosts for the last 30 days with a time span of 1 day in GB and bring it in a dashboard so kindly help out with the query.
host information
host 1 = xyz
host 2 = abc
host 3 = def
host 4 = ghi
host= vbg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anandhalagaras1,
you can use the search that you can find at [Settings -- Licensing -- Usage Reports -- Previous 60 days -- Split by host].
If you want to add the additional filter to limit results to the 5 hosts you want to monitor, you can add the additioal condition "| search h IN (abc, def, gih, xyz, vbg)" something like this:
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search h IN (abc, def, gih, xyz, vbg)
| timechart span=1d sum(b) AS volumeB by h fixedrange=false
| join type=outer _time [ search
index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time ]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your inputs.
I have provided the exact host information as mentioned in the query but there no results at all.
search h IN (abc, def, gih, xyz, vbg) so kindly help on the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anandhalagaras1,
run the search without the additional filter and see if the hosts you want to monitor are present in results, then add the additional condition.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have removed the additional filter ( | search h IN (abc, def, gih, xyz, vbg) ) from the query and tried to search but still there were no results. So kindly let me know were I went wrong.
This is the query i tried:
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by h fixedrange=false
| join type=outer _time [ search
index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time ]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
So hence I have navigated to the Cloud Monitoring Console-->License-->Ingest and have choosen the the Split by Host and here it provides the top 10 conusmers for last 30 days. And the query is like this below:
`sim_licensing_usage_base`
| `sim_licensing_usage_all("h")`
| append
[| search (index=summary source="splunk-ingestion" earliest=-30d@d)
| bin _time span=1d
| stats max(ingest_license) as license by _time]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume
But I want to find the license usage for few hosts alone for last 30 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anandhalagaras1,
sorry, I didn't understand that you're using Splunk Cloud, anyway, go in the Cloud Monitoring Console to [Liense Usage -- Ingest -- Split by host] and you have the starting point search to modify adding the additional filter.
In other words:
(index=_internal host=*.*splunk*.* NOT host=sh*.*splunk*.* source=*license_usage.log* type="Usage")
| eval h=if(((len(h) == 0) OR isnull(h)),"(SQUASHED)",h)
| eval s=if(((len(s) == 0) OR isnull(s)),"(SQUASHED)",s)
| eval idx=if(((len(idx) == 0) OR isnull(idx)),"(UNKNOWN)",idx)
| search h IN (abc, def, gih, xyz, vbg)
| timechart span=1d eval(round((sum(b)/pow(2,30)),3)) AS Volume by h
| append [ | search
(index=summary source="splunk-ingestion" earliest=-30d@d)
| bin _time span=1d
| stats max(ingest_license) as license by _time
]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volumeCiao.
Giuseppe
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
