Hi All,
We need your help to extract the license usage report for all the indexes for the past one year. Since we need to present the statistics to top management.
So is there any way to pull the report for the last one year and irrespective of all indexes. Is there any search query or is there any way to extract the information.
Kindly help on this.
You can get the license usage from the _internal index. So if your retention time on that index is more than 1 year, then you should still be able to get those statistics.
For example, license usage per index, per day:
index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d
You can get the license usage from the _internal index. So if your retention time on that index is more than 1 year, then you should still be able to get those statistics.
For example, license usage per index, per day:
index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d
But it fetches the result only for last 30 days and not more than that. So how to get the data for longer duration
Well, if you set your time window to All Time (or last year) and it still fetches on 30 days, that means your _internal index only contains last 30days of data. I'm afraid in that case you will not be able to get further historic data.
So for the future, you may want to increase the retention time on your internal index(es), or set up some summary indexing, to retain the statistics for the required amount of time.
PS: If your actual indexes do contain data for the whole year, there are ways to estimate license use from the size of the raw events, but that is not perfectly accurate and also is a very time consuming search to run over a year, if you have a lot of data.
Somehow I need to extract the information so is there any way to retrieve the same.
Well, you could run something like this, but as said, that will perform terribly on big amounts of data, so you might want to find a smart way to split that up into chunks by time and run it bit by bit, depending on how much data you have. Or run it index by index.
index=* | bin _time span=1d | eval rawbytes = len(_raw) | stats sum(rawbytes) by _time
Thanks for your swift response. But still i need few more information.
When i ran the query for last one day it picks up the top 10 index and the remaining index information are categorized as "OTHERS" but i need to information for each and every index present in our environment. It might be some 10mb also but i need to extract that information. So kindly help on the query.
Oh, yes, sorry. You can add a limit=0
to the timechart command, to make it show all indexes.
Thanks it works as expected.
But it fetches the result only for last 30 days and not more than that. So how to get the data for longer duration
Great! Please mark the answer as accepted, so it is clear your question is answered and others can also easily find the answer 🙂