How to create a search to calculate top5 license c...

umesh · ‎10-07-2022

Hi

I wanted to get the details of the top 5 indexes consuming high license seperated by date for last 7 days in a single query.

16th -top 5 index --gb

17th -top 5 index --gb

18th top 5 index --gb

.........

Please help me with the above query

richgalloway · ‎10-10-2022

The Monitoring Console has such a search. See Indexing->License Usage->Historic License Usage.

Here is a slightly modified version of that search that should more close meet your requirements.

index=_internal source=*license_usage.log* type="Usage" earliest=-7d
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, idx 
| timechart limit=5 span=1d sum(b) AS volumeB by idx fixedrange=false 
| fields - _timediff 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

---
If this reply helps you, Karma would be appreciated.

How to create a search to calculate top5 license consuming index for last 7 days?

resource usage

search head

search performance

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation