@gcusello ,

Thanks for your inputs.

I have provided the exact host information as mentioned in the query but there no results at all. 

search h IN (abc, def, gih, xyz, vbg) so kindly help on the same.

Hi @anandhalagaras1,

run the search without the additional filter and see if the hosts you want to monitor are present in results, then add the additional condition.

Ciao.

Giuseppe

@gcusello 

I have removed the additional filter ( | search h IN (abc, def, gih, xyz, vbg) ) from the query and tried to search but still there were no results. So kindly let me know were I went wrong.

This is the query i tried:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by h fixedrange=false
| join type=outer _time [ search
index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time ]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

So hence I have navigated to the Cloud Monitoring Console-->License-->Ingest and have choosen the the Split by Host and here it provides the top 10 conusmers for last 30 days. And the query is like this below:

`sim_licensing_usage_base`
| `sim_licensing_usage_all("h")`
| append
[| search (index=summary source="splunk-ingestion" earliest=-30d@d)
| bin _time span=1d
| stats max(ingest_license) as license by _time]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume

But I want to find the license usage for few hosts alone for last 30 days. 

Hi @anandhalagaras1,

sorry, I didn't understand that you're using Splunk Cloud, anyway, go in the Cloud Monitoring Console to [Liense Usage -- Ingest -- Split by host] and you have the starting point search to modify adding the additional filter.

In other words:

(index=_internal host=*.*splunk*.* NOT host=sh*.*splunk*.* source=*license_usage.log* type="Usage") 
| eval h=if(((len(h) == 0) OR isnull(h)),"(SQUASHED)",h) 
| eval s=if(((len(s) == 0) OR isnull(s)),"(SQUASHED)",s) 
| eval idx=if(((len(idx) == 0) OR isnull(idx)),"(UNKNOWN)",idx) 
| search h IN (abc, def, gih, xyz, vbg) 
| timechart span=1d eval(round((sum(b)/pow(2,30)),3)) AS Volume by h 
| append [ | search 
   (index=summary source="splunk-ingestion" earliest=-30d@d) 
   | bin _time span=1d 
   | stats max(ingest_license) as license by _time
   ] 
| stats values(*) as * by _time 
| rename license as "license limit" 
| fields - volume

Ciao.

Giuseppe