Solved: How do I view daily license usage by index?

vqd361 · ‎09-12-2014

Splunk 6.1's license usage reporting will let me view my license usage by index for the last 30 days, but the graph only shows 10 indexes. The rest are presumably in the entry titled "OTHER". How do I get a report that lists all of my indexes? I opened the search for the graph and viewed it in the Statistics tab, but I still have a column called "OTHER".

Here's the search that I'm using. I don't see where it's combining indexes into "OTHER".

index=_internal source=*license_usage.log type="Usage"
 | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
 | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
 | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | bin _time span=1d
 | stats sum(b) as b by _time, pool, s, st, h, idx
 | timechart span=1d sum(b) AS volumeB by idx fixedrange=false
 | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
 | eval _time=_time - 43200
 | bin _time span=1d
 | stats latest(stacksz) AS "stack size" by _time]
 | fields - _timediff
 | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
 | fields - "stack size"

martin_mueller · ‎09-12-2014

useother=f will hide the OTHER field... instead, use limit=0 to not stop at ten values.

View solution in original post

martin_mueller · ‎09-12-2014

useother=f will hide the OTHER field... instead, use limit=0 to not stop at ten values.

vqd361 · ‎09-14-2014

Thanks. Adding limit=0 to the timechart command produced exactly the result I was looking for.

s2_splunk · ‎09-12-2014

As MuS mentioned in his comment: useother=f doc link

MuS · ‎09-12-2014

Use timechart with option useother=f

How do I view daily license usage by index?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?