We ingest the debug logs from our Autodesk license servers into Splunk for license usage reporting/ pool exhaustion alerting, etc. I am trying to create a few reports to measure our unique user counts and maximum usage for our Autodesk licensing. I am getting some inconsistent results where the number of unique users is a lot lower than the max number of users over the same time frame. I feel like it is something wrong with the unique users query as the max users query results are pretty close to what I see in the live data. I am pretty new to Splunk so I suspect I am doing something wrong, but after many hours of trial and error I can not figure out what. The queries are below, I would appreciate any suggestions anyone may have.
Unique users per application query:
index="autodesk-licensing"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product"
| rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname"
| dedup Username
| addtotals
| stats count BY "Application"
| rename "count" AS "Total Unique Users"
Maximum usage query:
index="autodesk-licensing" sourcetype="lmutil"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "Autodesk License"
| timechart max(current_license_usage) span=8hours by "Autodesk License"
| eval date_wday=lower(strftime(_time,"%A"))
| where NOT (date_wday="saturday" OR date_wday="sunday")
| fields - date_wday
HI,
I guess that when you use the "| dedup Username" you are removing all duplicate entries of users.
As an example, if user "John" uses app A and app B, dedup command will return only one of these apps. I think the best approach for the unique users per application is to use the "| stats dc()".
You can try something like:
index="autodesk-licensing"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product"
| rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname"
| addtotals
| stats dc(Username) as "Total Unique Users" by "Application"