Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with my license report?

a212830
Champion
‎01-07-2019 08:56 AM

Hi,

I need to build a license usage chart report that shows Top10 index usage for the last year, by month. I've created a summary index, that stores the index, pool and source type (idx, pool, st) in a summary index. How would I generate this report? I'm uncertain what to put for the bin and span options. I have this for a daily report:

index=summary sourcetype=license_info | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time,  st, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | bin _time span=1d   | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muralikoppula
Communicator
‎01-07-2019 09:35 AM

Try something like this:

index=summary earliest=-1y@y latest=@y | eval b=b/1024/1024/1024 |eval b=round(b,2)| stats sum(b) AS GB by idx | addtotals fieldname=tmp_GB GB | sort limit=10 -tmp_GB

If you want to show top indexes per month based on total usage by index, you'd do like this

index=summary sourcetype=license_info earliest=-1y@y latest=@y | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1mon | stats sum(b) as usage by _time idx | sort _time -usage | dedup 10 _time

View solution in original post

Reply
Solved! Jump to solution
Solution

muralikoppula
Communicator
‎01-07-2019 09:35 AM

Try something like this:

index=summary earliest=-1y@y latest=@y | eval b=b/1024/1024/1024 |eval b=round(b,2)| stats sum(b) AS GB by idx | addtotals fieldname=tmp_GB GB | sort limit=10 -tmp_GB

If you want to show top indexes per month based on total usage by index, you'd do like this

index=summary sourcetype=license_info earliest=-1y@y latest=@y | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1mon | stats sum(b) as usage by _time idx | sort _time -usage | dedup 10 _time
Reply
Solved! Jump to solution

a212830
Champion
‎01-07-2019 10:34 AM

Thanks! The first one looks like what I am looking for. What is the purpose of the "-tmp_GB" at the end of that query?

0 Karma
Reply
Solved! Jump to solution

muralikoppula
Communicator
‎01-07-2019 11:15 AM

Sort command sorts a report to give you top 10 MAX values based on "-tmp_GB" field.
Glad it worked out for you. Please don't forget to close the ticket if you dont have any further questions .

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-11-2019 02:16 PM

A little polish if you want:

eval b=b/1024/1024/1024 |eval b=round(b,2)

could be written as:

eval b = round( b / pow( 1024 , 3 ) , 2 )

Some may find it easier to read. Others may feel it's harder to read. But sharing anyway!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...