I'd like a report for license usage for all my indexes per day over X days. We have over 30 indexes and when I run the Daily License Usage in search, it only returns 11 or so indexes. Is there a way that I can get a report for all the indexes' usage, regardless of how little data is indexed in it?
Thanks in advance,
Try something like this
index=_internal source=*license_usage.log* type=Usage | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval gb=round(bytes/1024/1024/1024,3) | fields - bytes| append [| gentimes start=-1 | addinfo | eval t=mvrange(info_min_time,info_max_time,86400) | table t | mvexpand t | rename t as _time | bucket span=1d _time | eval gb=0 | join type=left max=0 gb [| rest /services/data/indexes | table title | rename title as idx | eval gb=0]] | stats max(gb) as gb by _time idx
Yes! Take a look at this app: https://splunkbase.splunk.com/app/2678/
It supports exactly what you are talking about. I built it, so if you have any features requests, just comment on here or e-mail me.