Installation

how to get the license usage of other hosts which do not match a pattern?

kiran_mh
Explorer

Hi,

We have the following query:

index =_internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

which gives us the license usage of hosts in a particular team,

we want to get the license usage of other hosts which do not match the given patterns above.

Thanks in advance.........

Tags (1)
0 Karma

inventsekar
Super Champion

On the eval case statement, we can add a default match for all others as 1=1, "other_teams"

index =internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE",1=1, "othe teams") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

0 Karma

JDukeSplunk
Builder

I think that a 1=1, "Other" would work for you.

"STORAGE-EUN-%", "AZURE", h 1=1, "Other") | eval GB=

Or maybe

|search NOT Team=*
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!