Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need query to get % lic usage each day for the last 30 days

brent_weaver
Builder
‎07-26-2017 07:57 AM

This cannot be that hard... What am I missing 🙂

I need to be able to report our % lic usage per day for the last 30 days. Any help is MUCH appreciated!

Tags (1)
0 Karma
Reply

sbbadri
Motivator
‎07-26-2017 11:36 AM

@brent_weaver

try this below query,

index=_internal source=*license_usage.log type=usage earliest=-30d@d latest=@d | eval GB = round(b/1024/1024/1024,5) | timechart span=1d sum(GB) AS "Total GB used" | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)

or

index=_internal source=*license_usage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)

0 Karma
Reply

brent_weaver
Builder
‎07-28-2017 11:17 AM

Thank you for these. How do I jst get the GB used? I would also like to have %lic consumption field.

Thanks!

0 Karma
Reply

sbbadri
Motivator
‎07-28-2017 12:24 PM

index=_internal source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b latest(stacksz) AS stacksz by slave, pool, _time | stats sum(b) AS volumeB max(stacksz) AS stacksz by _time | eval pctused=round(volumeB/stacksz*100,2) | timechart span=1d max(pctused) AS "% used" fixedrange=false

0 Karma
Reply

brent_weaver
Builder
‎07-26-2017 08:47 AM

Hey thanks for the reply! It gives me this query:

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b latest(stacksz) AS stacksz by slave, pool, _time | stats sum(b) AS volumeB max(stacksz) AS stacksz by _time | eval pctused=round(volumeB/stacksz*100,2) | timechart span=1d max(pctused) AS "% used" fixedrange=false

Which returns zero results. But this will at least give me what I am shooting for as a baseline.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-26-2017 08:17 AM

Go to the web interface of your license master. Settings -> Licensing -> Usage report -> Previous 30 days. You can find the searches in the dashboard panels there.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...