Hi All,

We are finding it very hard to calculate the license usage details by each host, I had executed the below query which I had got from one of the post in answers.com based on the query, we are able to see the license usage details per sourcetype and per hostname for a particular index, but difficult part is that in hostname field value we are seeing (SQUASHED) as value and that is consuming more license, so could anyone guide me on how to find the exact hostname details from the (SQUASHED) output.

index=_internal source=*license_usage.log* type="Usage" idx="XXX"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval st=if(len(st)=0 OR isnull(st),"(UNKNOWN)",st)
| fields _time,b,h,st
| bin _time span=1d
| stats sum(b) AS volume by h, _time,st
| stats avg(volume) AS avgVolume max(volume) AS maxVolume by h,st
| eval avgVolumeGB=round(avgVolume/1024/1024/1024,3)
| eval maxVolumeGB=round(maxVolume/1024/1024/1024,3)
| fields h,st, avgVolumeGB, maxVolumeGB
| rename avgVolumeGB AS "average" maxVolumeGB AS "peak",st AS "sourcetype", h AS "hostname"
| sort - average
| head 10

Output 

hostname                             Sourcetype                                      average       peak 

(SQUASHED)                       test:test1:cisco                               175.934    409.272

Problem statement: how to find the exact hostname details from the (SQUASHED) output.