Solved: Can I add more details to my license usage by time...

Celeste · ‎10-08-2015

I use the License Usage search (generally when I click through on a host or source from the License Usage page) and can manipulate the hosts or time blocks with no problem.

But I'd like to narrow down the information and determine how much license usage is going to DEBUG logs. If here is my original string:

index=_internal source="*license_usage.lo*" type=Usage | bucket _time span=60m | stats sum(b) as bytes by _time h | eval mb=bytes/1048576 | rename h as host | rename mb as Mbytes | search host="*-prd-*"

Where would I put the term "[DEBUG]" to only count events that include that word?

Thanks!

somesoni2 · ‎10-08-2015

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

View solution in original post

somesoni2 · ‎10-08-2015

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

Celeste · ‎10-09-2015

Thanks for the help, everyone!

masonmorales · ‎10-08-2015

Unless you are using a routing and filtering configuration to send DEBUG events to a separate index, this is not possible. Splunk only keeps license usage metrics down to the metadata level (i.e. host, index, source, sourcetype).

You might be able to get a rough idea by searching host="*-prd-*" | stats count by log_level (or whatever field DEBUG is extracted as) and then calculating the proportion of events with DEBUG to the amount of license usage on host="*-prd-*.

Celeste · ‎10-08-2015

Darn, I was hoping to manipulate a bit more. Thanks for the speedy answer!

Can I add more details to my license usage by time search to see how much is going to DEBUG logs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?