Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a search to calculate top5 license consuming index for last 7 days?

umesh
Path Finder
‎10-07-2022 03:40 AM

Hi 

 

I wanted to get the details  of the top 5 indexes consuming high license seperated by date  for last 7 days in a single query.

16th -top 5 index --gb

17th -top 5 index --gb

18th top 5 index  --gb 

.........

Please help me with the above query 

 

Labels (3)
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-10-2022 05:16 PM

The Monitoring Console has such a search.  See Indexing->License Usage->Historic License Usage.

Here is a slightly modified version of that search that should more close meet your requirements.

index=_internal source=*license_usage.log* type="Usage" earliest=-7d
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, idx 
| timechart limit=5 span=1d sum(b) AS volumeB by idx fixedrange=false 
| fields - _timediff 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...