Reporting

Can you help me with my license report?

Champion

Hi,

I need to build a license usage chart report that shows Top10 index usage for the last year, by month. I've created a summary index, that stores the index, pool and source type (idx, pool, st) in a summary index. How would I generate this report? I'm uncertain what to put for the bin and span options. I have this for a daily report:

index=summary sourcetype=license_info | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time,  st, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | bin _time span=1d   | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
1 Solution

Communicator

Try something like this:

index=summary earliest=-1y@y latest=@y | eval b=b/1024/1024/1024 |eval b=round(b,2)| stats sum(b) AS GB by idx | addtotals fieldname=tmp_GB GB | sort limit=10 -tmp_GB

If you want to show top indexes per month based on total usage by index, you'd do like this

index=summary sourcetype=license_info earliest=-1y@y latest=@y | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1mon | stats sum(b) as usage by _time idx | sort _time -usage | dedup 10 _time 

View solution in original post

Communicator

Try something like this:

index=summary earliest=-1y@y latest=@y | eval b=b/1024/1024/1024 |eval b=round(b,2)| stats sum(b) AS GB by idx | addtotals fieldname=tmp_GB GB | sort limit=10 -tmp_GB

If you want to show top indexes per month based on total usage by index, you'd do like this

index=summary sourcetype=license_info earliest=-1y@y latest=@y | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1mon | stats sum(b) as usage by _time idx | sort _time -usage | dedup 10 _time 

View solution in original post

Champion

Thanks! The first one looks like what I am looking for. What is the purpose of the "-tmp_GB" at the end of that query?

0 Karma

Communicator

Sort command sorts a report to give you top 10 MAX values based on "-tmp_GB" field.
Glad it worked out for you. Please don't forget to close the ticket if you dont have any further questions .

0 Karma

Ultra Champion

A little polish if you want:

eval b=b/1024/1024/1024 |eval b=round(b,2)

could be written as:

eval b = round( b / pow( 1024 , 3 ) , 2 )

Some may find it easier to read. Others may feel it's harder to read. But sharing anyway!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!