Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the top 5 license usage by indexes (Average value) for the last 30 days?

bsantosh
New Member
‎08-07-2018 04:56 AM

Hi, I would like to calculate the average of top 5 indexes by license usage for the last 30 days.
Note: there is a separate license one each for prod. and pre-prod. env.
Example: "test1-prod" (index for prod. env.) and "test1-preprod" (index for pre-prod. env.).
Need to addup the pre-prod and prod license into a single index and showup in top 5.

Ex:
- Calculate the average license usage for last 30 days for 'test1-prod' index
- Calculate the average license usage for last 30 days for 'test1-preprod' index
- Calculate the average license usage of both the indexes combined.
- Show the top 5 indexes (prod. +preprod.) license usages for the last 30 days

Required Output should be something like below:

Top 5 Indexes by License Usage:

Indexes           Avg.License usage (in GB)
test1                25
test2                21
test3                15
test5                10
test4                  5

test1 ---> avg.(test1-prod + test1-preprod)
test2 ---> avg.(test2-prod + test2-preprod)
test3 ---> avg.(test3-prod + test3-preprod)
test4 ---> avg.(test4-prod + test4-preprod)
test5 ---> avg.(test5-prod + test5-preprod)

Let me know if you need any further clarification.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-07-2018 08:31 AM

Give this a try (Run from your License server. If you forward your license server logs to your indexer[recommended] then it can be run from any search head)

index=_internal source=*license_usage.log type="RolloverSummary" 
| bucket span=1d _time 
| stats sum(b) as usage by _time idx
| eval idx=replace(idx,"-(pro|preprod)","") 
| stats sum(usage) as usage by _time idx
| stats avg(usage) as usage by idx
| sort 5 -usage | eval usage=round(usage/1024/1024/1024,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bsantosh
New Member
‎08-08-2018 12:52 AM

Thanks for the quick help. Its working.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-07-2018 08:31 AM

Give this a try (Run from your License server. If you forward your license server logs to your indexer[recommended] then it can be run from any search head)

index=_internal source=*license_usage.log type="RolloverSummary" 
| bucket span=1d _time 
| stats sum(b) as usage by _time idx
| eval idx=replace(idx,"-(pro|preprod)","") 
| stats sum(usage) as usage by _time idx
| stats avg(usage) as usage by idx
| sort 5 -usage | eval usage=round(usage/1024/1024/1024,2)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...