- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Daily License Usage Based on Source Information Al...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daily License Usage Based on Source Information Along with Host, Index & Sourcetype Information
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anandhalagaras1 ,
if you see in the Monitoring Console App [Settings > Monitoring Console > Indexing > icense Usage > Historic License Usage] or in License Concuption Report [Settings > Licensing > Usage Report> Previous 60 days > Split by ...] youcan find the searches you need.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using Splunk Cloud version 9.1.2308.203. Following your instructions, I navigated to Cloud Monitoring Console --> License Usage and found the following options in the Cloud Monitoring Console App:
- Entitlement
- Ingest
- Workload
- Storage Summary
- Searchable Storage (DDAS)
- Archive Storage (DDAA)
- Federated Search for Amazon S3
Our Cloud Monitoring Console app is version 3.25.0. Please let me know how to pull the top 20 or top 50 sources with the index and sourcetype information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anandhalagaras1 ,
you should take the searches in Workload and adapt them to your requirements.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello When i navigate to the Cloud Monitoring Console-->License Usage-->Workload.
I can see Indexing Process-->Peak SVC usage per hour split by indexing source. So when i navigate to the query in another search window. I can see the query as below:
index=summary source="splunk-ingestion" [`sim_get_local_stack` | eval host="*.".stack.".*splunk*" | fields host]
| dedup keepempty=t _time idx st
| stats sum(ingestion_gb) as ingestion_gb by _time idx
| eventstats sum(ingestion_gb) as total_gb by _time
| eval pct=ingestion_gb/total_gb
| bin _time span=1h
| join _time
[ search index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=*
| fillnull value="" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source
| eval unified_sid=if(unified_sid="",usage_source,unified_sid)
| stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type
| timechart span=1h sum(utilized_svc) as svc_usage
]
| eval svc_usage=svc_usage*pct
| timechart useother=false span=1h sum(svc_usage) by idx
I need to generate three separate reports, each identifying the top 10 items based on license usage in GB over the last 30 days. Specifically, I want to pull the following information:
1. The top 10 indexes (excluding internal indexes).
2. The top 10 sourcetypes (excluding internal index sourcetypes).
3. The top 10 sources.
These reports need to be scheduled to run every month. Could you please provide the queries for these three requirements?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
