We are finding it very hard to calculate the license usage details by each host, I had executed the below query which I had got from one of the post in answers.com based on the query, we are able to see the license usage details per sourcetype and per hostname for a particular index, but difficult part is that in hostname field value we are seeing (SQUASHED) as value and that is consuming more license, so could anyone guide me on how to find the exact hostname details from the (SQUASHED) output.
index=_internal source=*license_usage.log* type="Usage" idx="XXX" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval st=if(len(st)=0 OR isnull(st),"(UNKNOWN)",st) | fields _time,b,h,st | bin _time span=1d | stats sum(b) AS volume by h, _time,st | stats avg(volume) AS avgVolume max(volume) AS maxVolume by h,st | eval avgVolumeGB=round(avgVolume/1024/1024/1024,3) | eval maxVolumeGB=round(maxVolume/1024/1024/1024,3) | fields h,st, avgVolumeGB, maxVolumeGB | rename avgVolumeGB AS "average" maxVolumeGB AS "peak",st AS "sourcetype", h AS "hostname" | sort - average | head 10
hostname Sourcetype average peak
(SQUASHED) test:test1:cisco 175.934 409.272
Problem statement: how to find the exact hostname details from the (SQUASHED) output.