Solved: Re: Can I add more details to my license usage by ...

Celeste · ‎10-08-2015

I use the License Usage search (generally when I click through on a host or source from the License Usage page) and can manipulate the hosts or time blocks with no problem.

But I'd like to narrow down the information and determine how much license usage is going to DEBUG logs. If here is my original string:

index=_internal source="*license_usage.lo*" type=Usage | bucket _time span=60m | stats sum(b) as bytes by _time h | eval mb=bytes/1048576 | rename h as host | rename mb as Mbytes | search host="*-prd-*"

Where would I put the term "[DEBUG]" to only count events that include that word?

Thanks!

somesoni2 · ‎10-08-2015

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

View solution in original post

somesoni2 · ‎10-08-2015

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

Celeste · ‎10-09-2015

Thanks for the help, everyone!

masonmorales · ‎10-08-2015

Unless you are using a routing and filtering configuration to send DEBUG events to a separate index, this is not possible. Splunk only keeps license usage metrics down to the metadata level (i.e. host, index, source, sourcetype).

You might be able to get a rough idea by searching host="*-prd-*" | stats count by log_level (or whatever field DEBUG is extracted as) and then calculating the proportion of events with DEBUG to the amount of license usage on host="*-prd-*.

Celeste · ‎10-08-2015

Darn, I was hoping to manipulate a bit more. Thanks for the speedy answer!

Can I add more details to my license usage by time search to see how much is going to DEBUG logs?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!