Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Daily license usage by index on Splunk Cloud

sidekix24
Path Finder
‎12-05-2017 12:18 PM

We just migrated over to Splunk Cloud and I'm trying to figure out how to view our daily license usage by index. I was able to do this before on the on-prem setup by going to licensing then license usage then change around the search.

With Splunk Cloud I can look up the usage in monitoring console but that shows it as a whole and when I open up the search, the index fields aren't being captured in the events.

Does anyone know how I can pull this info up?

Thanks

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎12-26-2017 09:45 AM

Here is a base search for Splunk licensing events:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | eval pool=(poolsz/1024/1024/1024) | fields _time, indexname, sourcetypename, GB, pool

This search will get you a list of usage across index and sourcetype for your specified timerange and is collected into 1 day buckets (since licensing goes by day). In order to get usage by index you can just add "| stats sum(GB) by indexname, _time" to the end of the search and that should give you each index's license usage for each day within your specified timerange. Unfortunately, I am not familiar with Splunk Cloud _internal events. Are these the events that aren't showing index fields within the event? If this search does not work for you, could you post a sample of the events you are seeing?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...