Splunk Search

Can any one help me to write splunk query which gives volume($ amount) or calculate each source ingesting data

question_queen
New Member

I am looking for a splunk query which can calculate each sourcetype ingesting data in splunk. you can take below sample data

for example:- summary_capacity

0.01per GB per month

0.2per GB per month

 

Splunk license is $5 per cpu per day

Indexer is 10.15$ per day

so what could be the best efficient splunk query for calculating  the cost based on how much data ingest of each sourcetype 

 

 

Labels (8)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @question_queen,

why do you say that Splunk license costs 5 $/CPU  per day?

Splunk License is indipendent by the CPU number, it's relevant only the indexed logs per day.

I don't know the exact price of a Splunk License today, but in Internet you can find some old quote (surely not updated) that says around 2000 $/day, but to be more sure, ask to your Splunk partner or Splunk Sales.

For more infos see at https://www.splunk.com/en_us/software/pricing/faqs.html#entity-pricing 

The Splunk licensing is calculated as yearly subscription, with included support, obviously the price is more discounted with a greater license

Anyway, you can find the license consuption for each sourcetype using  the License Usage report [Settings -- Licensing -- License Usage -- Previous 60 days] using the dropdown "Split by sourcetype".

Otherwise, you can see in the Monitoring Console and you have the same dashboard.

One of the searches used in this dashboard is:

 

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by st fixedrange=false  
| join type=outer _time [search 
     index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
     | eval _time=_time - 43200 
     | bin _time span=1d 
     | dedup _time stack 
     | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

 

Ciao.

Giuseppe

0 Karma

question_queen
New Member

Hi @gcusello 

Thank  you very much for your  answer and time, 

why do you say that Splunk license costs 5 $/CPU  per day?-->> please assume that It was just a sample data. 

 

Anyway, you can find the license consumption for each sourcetype using  the License Usage report [Settings -- Licensing -- License Usage -- Previous 60 days] using the dropdown "Split by sourcetype". >> somehow this is not working as expected including monitoring console .

 

Actually i am just looking for the query which can give me daily ingesting data (assume we have 100 + host) cost in $ by each source type  . I ran the below query but it could not give me that result . 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @question_queen,

regarding the first point, I just wanted to tell you that the cost does not take into account the number of CPUs (like other products, eg Oracle) but only the volume of logs indexed daily.

As for the license consumption report and the report I shared that sometimes don't work, I don't know what the malfunction is, but using these reports you can see what the average log volume is for one or two hosts of each type (Linux , Windows Domain Controller and Windows others) and then extrapolate the overall value.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...