Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License Usage of previously indexed data

Navanitha
Path Finder
‎02-07-2018 03:24 AM

Hi,

I am trying to calculate the license used by one of my index which is not in use now (meaning we stopped sending data to this index as it was consuming too much license just a week ago, so the previous logs are still present in the bucket). now we want to know how much license it was consuming earlier with a breakdown of host and source.

I tried checking the _internal index for the license usage using below query. I am able to get the results for other existing index but not this one I am looking for.

index=_internal source=license_usage.log type="Usage" splunk_server= idx=aom | eval Date=strftime(_time, "%Y/%m/%d") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5)| timechart first(MB) AS volume by idx

can some one tell me how to do this.

Thanks in advance

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎02-07-2018 03:29 AM

hey try this you will get info about each index

index=_internal 
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false 
| join type=outer _time 
    [ search index=_internal 
        [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | stats latest(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach * 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

You can find the same in Licensing>>Usage Report >>Last 30 days>>by index
If you want to stick to your query then try idx=* to look for each index.
let me know if this helps!

0 Karma
Reply

Navanitha
Path Finder
‎02-07-2018 04:42 AM

Hi Mayur, thanks for the query. I tried running it but no results found.

0 Karma
Reply

splforfun
Engager
‎10-01-2020 10:38 AM

Make sure that you either set or remove this macro from both search stanzas. 

[ `set_local_host`] 

  

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...