Hi there!
So I am trying to figure out a way to see the my license usage for longer than thirty days . I opened the report in search and changed earliest=-30d@d in both places, but still does not work...... can anyone help me figure out what I am missing?
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
This would be a better search since the source in the internal index only has 30 days of information. The telemetry index pulls in the license summary source which goes back a lot further.
index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach "*"
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
How many days of events exist in _internal
? Check and see - you can look at the index settings, or run a search:
index=_internal source=*license_usage.log type="RolloverSummary" earliest=0
| stats count earliest(_time) as earliest_time latest(_time) as latest_time
| eval num_days = round((latest_time - earliest_time)/86400,1)
| eval earliest_time = strftime(earliest_time,"%x %X")
| eval latest_time = strftime(latest_time,"%x %X")
Also, if you run your search over a long time period, you may exceed the subsearch limits in the join
.