Splunk Search

Can I add more details to my license usage by time search to see how much is going to DEBUG logs?

Celeste
Engager

I use the License Usage search (generally when I click through on a host or source from the License Usage page) and can manipulate the hosts or time blocks with no problem.

But I'd like to narrow down the information and determine how much license usage is going to DEBUG logs. If here is my original string:

index=_internal source="*license_usage.lo*" type=Usage | bucket _time span=60m | stats sum(b) as bytes by _time h | eval mb=bytes/1048576 | rename h as host | rename mb as Mbytes | search host="*-prd-*" 

Where would I put the term "[DEBUG]" to only count events that include that word?

Thanks!

0 Karma
1 Solution

somesoni2
Revered Legend

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

View solution in original post

0 Karma

somesoni2
Revered Legend

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb
0 Karma

Celeste
Engager

Thanks for the help, everyone!

0 Karma

masonmorales
Influencer

Unless you are using a routing and filtering configuration to send DEBUG events to a separate index, this is not possible. Splunk only keeps license usage metrics down to the metadata level (i.e. host, index, source, sourcetype).

You might be able to get a rough idea by searching host="*-prd-*" | stats count by log_level (or whatever field DEBUG is extracted as) and then calculating the proportion of events with DEBUG to the amount of license usage on host="*-prd-*.

0 Karma

Celeste
Engager

Darn, I was hoping to manipulate a bit more. Thanks for the speedy answer!

0 Karma
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...