Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get the license usage of other hosts which do not match a pattern?

kiran_mh
Explorer
‎09-20-2016 12:22 AM

Hi,

We have the following query:

index =_internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

which gives us the license usage of hosts in a particular team,

we want to get the license usage of other hosts which do not match the given patterns above.

Thanks in advance.........

Tags (1)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-20-2016 06:42 AM

On the eval case statement, we can add a default match for all others as 1=1, "other_teams"

index =internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE",1=1, "othe teams") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

JDukeSplunk
Builder
‎09-20-2016 05:57 AM

I think that a 1=1, "Other" would work for you. 

"STORAGE-EUN-%", "AZURE", h 1=1, "Other") | eval GB=

Or maybe 

|search NOT Team=*
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...