I need to produce a license report by index that i...

morphis72 · ‎03-22-2019

I need to build a monthly report that shows average daily usage for charge-back purposes. I have sorted out how to give them everything they are asking for except for the data retention. They want me to include a column in the report that shows what indexes are 30, 93, 180 or 365 days of retention.

How would I go about adding that information?

This is my search so far:

earliest=-30d@d latest=@d index=internal source=license_usage.log type=Usage idx="" |
eval date=strftime(_time, "%Y%m%d") |
stats sum(b) as sum by idx, date |
eval GB = sum/1024/1024/1024 |
chart avg(GB) as "Average Daily - GB", max(GB) as "Monthly Peak - GB" by idx |
rex field=idx "^.?(?\d+)_(?\d+)$"

FrankVl · ‎03-22-2019

Add the following to your current search:

join type=left idx [
| rest /services/data/indexes 
| rename title as idx 
| eval retention_period = frozenTimePeriodInSecs / (3600*24) 
| table idx,retention_period
]

I need to produce a license report by index that includes retention period

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

I need to produce a license report by index that includes retention period

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey