Splunk Search

How do I search the license usage by sourcetype for a particular app?

sunnyparmar
Communicator

Hi,

I have one app which doesn't have indexes in it. The dashboards under it are running via either source, sourcetype, and host. Now I have to find the license usage for that app by all the given modes i.e. source, sourcetype, and host. I have searched for all these three parameters, but when I am executing the search, it is showing all sources, sourcetypes, and hosts for all the apps in the result. Now the problem is I don't know which sources, sourcetypes, and hosts belong to that particular app out of all those, so how can I separate these three instances for that particular app from that results? Any suggestions would be appreciated.

Thanks

0 Karma
1 Solution

javiergn
Super Champion

The following query will give you the list of sourcetypes per app:

 | rest /services/saved/sourcetypes
 | fields title, "eai:acl.app"
 | rename title AS sourcetype, "eai:acl.app" AS app_name

If you then join that by sourcetype with your license query you should be able to list what you want.

Something like this for instance:

index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | eval sourcetypename = st
 | bin _time span=1d 
 | stats sum(b) as b by _time, pool, indexname, sourcetypename
 | eval GB=round(b/1024/1024/1024, 3)
 | fields _time, indexname, sourcetypename, GB
 | join sourcetypename [
     | rest /services/saved/sourcetypes
     | fields title, "eai:acl.app"
     | rename title AS sourcetypename, "eai:acl.app" AS app_name
]

Thanks,
J

View solution in original post

javiergn
Super Champion

The following query will give you the list of sourcetypes per app:

 | rest /services/saved/sourcetypes
 | fields title, "eai:acl.app"
 | rename title AS sourcetype, "eai:acl.app" AS app_name

If you then join that by sourcetype with your license query you should be able to list what you want.

Something like this for instance:

index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | eval sourcetypename = st
 | bin _time span=1d 
 | stats sum(b) as b by _time, pool, indexname, sourcetypename
 | eval GB=round(b/1024/1024/1024, 3)
 | fields _time, indexname, sourcetypename, GB
 | join sourcetypename [
     | rest /services/saved/sourcetypes
     | fields title, "eai:acl.app"
     | rename title AS sourcetypename, "eai:acl.app" AS app_name
]

Thanks,
J

hsesterhenn_spl
Splunk Employee
Splunk Employee

Hi,
just to make sure I understand this search ('cause I have to solve a similar question...).

The join returns a list of sourcetypes and the app where this sourcetype is defined/saved....

The first part of the search will break down the indexed volume by index and sourcetype.

To my mind the question is only answered correctly if a sourcetype is only used in one specific app...

If you use a generic sourcetype like access_combined... you'll see only "system" as "app"... because this sourcetype is simply defined in "system"...

I am of the opinion that the question can only be answered if you define a custom sourcetype in your app and define inputs using this sourcetype only in this specific app (or an other single app because you might have a TA defining a sourcetype and a single app to provide dashboards/searches for this sourcetype).

Please feel free to correct me if I am wrong.
It might be possible that I did not get the whole idea 🙂

Greetings,

Holger

0 Karma

sunnyparmar
Communicator

thanks J.. solved my issue..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...