Installation

Is there any way to pull the report on license usage for the last one year irrespective of all indexes?

anandhalagarasa
Path Finder

Hi All,

We need your help to extract the license usage report for all the indexes for the past one year. Since we need to present the statistics to top management.

So is there any way to pull the report for the last one year and irrespective of all indexes. Is there any search query or is there any way to extract the information.

Kindly help on this.

Labels (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

You can get the license usage from the _internal index. So if your retention time on that index is more than 1 year, then you should still be able to get those statistics.

For example, license usage per index, per day:

index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d

View solution in original post

0 Karma

FrankVl
Ultra Champion

You can get the license usage from the _internal index. So if your retention time on that index is more than 1 year, then you should still be able to get those statistics.

For example, license usage per index, per day:

index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d
0 Karma

anandhalagarasa
Path Finder

But it fetches the result only for last 30 days and not more than that. So how to get the data for longer duration

0 Karma

FrankVl
Ultra Champion

Well, if you set your time window to All Time (or last year) and it still fetches on 30 days, that means your _internal index only contains last 30days of data. I'm afraid in that case you will not be able to get further historic data.

So for the future, you may want to increase the retention time on your internal index(es), or set up some summary indexing, to retain the statistics for the required amount of time.

0 Karma

FrankVl
Ultra Champion

PS: If your actual indexes do contain data for the whole year, there are ways to estimate license use from the size of the raw events, but that is not perfectly accurate and also is a very time consuming search to run over a year, if you have a lot of data.

0 Karma

anandhalagarasa
Path Finder

Somehow I need to extract the information so is there any way to retrieve the same.

0 Karma

FrankVl
Ultra Champion

Well, you could run something like this, but as said, that will perform terribly on big amounts of data, so you might want to find a smart way to split that up into chunks by time and run it bit by bit, depending on how much data you have. Or run it index by index.

index=* | bin _time span=1d | eval rawbytes = len(_raw) | stats sum(rawbytes) by _time
0 Karma

anandhalagarasa
Path Finder

Thanks for your swift response. But still i need few more information.

When i ran the query for last one day it picks up the top 10 index and the remaining index information are categorized as "OTHERS" but i need to information for each and every index present in our environment. It might be some 10mb also but i need to extract that information. So kindly help on the query.

0 Karma

FrankVl
Ultra Champion

Oh, yes, sorry. You can add a limit=0 to the timechart command, to make it show all indexes.

0 Karma

anandhalagarasa
Path Finder

Thanks it works as expected.

0 Karma

anandhalagarasa
Path Finder

But it fetches the result only for last 30 days and not more than that. So how to get the data for longer duration

0 Karma

FrankVl
Ultra Champion

Great! Please mark the answer as accepted, so it is clear your question is answered and others can also easily find the answer 🙂

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...