Splunk Search

Can I add more details to my license usage by time search to see how much is going to DEBUG logs?

Celeste
Engager

I use the License Usage search (generally when I click through on a host or source from the License Usage page) and can manipulate the hosts or time blocks with no problem.

But I'd like to narrow down the information and determine how much license usage is going to DEBUG logs. If here is my original string:

index=_internal source="*license_usage.lo*" type=Usage | bucket _time span=60m | stats sum(b) as bytes by _time h | eval mb=bytes/1048576 | rename h as host | rename mb as Mbytes | search host="*-prd-*" 

Where would I put the term "[DEBUG]" to only count events that include that word?

Thanks!

0 Karma
1 Solution

somesoni2
Revered Legend

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb

View solution in original post

0 Karma

somesoni2
Revered Legend

The license usage log provides license usage (bytes) by following categories
1) Time- Time of data ingested
2) source - source from where data is coming
3)sourcetype - sourcetype assigned to data
4) host - host from where data is coming
5) index - index where data is getting ingested
6) indexer - splunk indexer which is storing the data
7)LicensePool - license pool defined in you license master (one or more indexers will be part of the license pool)

index=_internal source="*license_usage.lo*" type=Usage | table _time, s , st , h, idx, i, pool, b  | rename s as source, st as sourcetype, h as host, idx as index i as indexer pool as LicencePool b as bytes

It doesn't show the distribution based on content of the data. So with current query you can't get the information you're looing for.

One approximate and totally inefficient way of getting the information you need is by counting the size of _raw. Something like this, but like many Splunkers, I would not suggest to use this.

index=* DEBUG | eval bytes=len(_raw) 
 | stats sum(eval(bytes/1024/1024)) as mb
0 Karma

Celeste
Engager

Thanks for the help, everyone!

0 Karma

masonmorales
Influencer

Unless you are using a routing and filtering configuration to send DEBUG events to a separate index, this is not possible. Splunk only keeps license usage metrics down to the metadata level (i.e. host, index, source, sourcetype).

You might be able to get a rough idea by searching host="*-prd-*" | stats count by log_level (or whatever field DEBUG is extracted as) and then calculating the proportion of events with DEBUG to the amount of license usage on host="*-prd-*.

0 Karma

Celeste
Engager

Darn, I was hoping to manipulate a bit more. Thanks for the speedy answer!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...