I need to produce a license report by index that i...

morphis72 · ‎03-22-2019

I need to build a monthly report that shows average daily usage for charge-back purposes. I have sorted out how to give them everything they are asking for except for the data retention. They want me to include a column in the report that shows what indexes are 30, 93, 180 or 365 days of retention.

How would I go about adding that information?

This is my search so far:

earliest=-30d@d latest=@d index=internal source=license_usage.log type=Usage idx="" |
eval date=strftime(_time, "%Y%m%d") |
stats sum(b) as sum by idx, date |
eval GB = sum/1024/1024/1024 |
chart avg(GB) as "Average Daily - GB", max(GB) as "Monthly Peak - GB" by idx |
rex field=idx "^.?(?\d+)_(?\d+)$"

FrankVl · ‎03-22-2019

Add the following to your current search:

join type=left idx [
| rest /services/data/indexes 
| rename title as idx 
| eval retention_period = frozenTimePeriodInSecs / (3600*24) 
| table idx,retention_period
]

I need to produce a license report by index that includes retention period

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

I need to produce a license report by index that includes retention period

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!