Can i please know how to calculate license usage of a particular sourcetype from a specific host before indexing ? For example , i have host "webapp01" having a sourcetype "access_log" but i would like to calculate how much data this sourcetype is sending to splunk before indexing to understand license consumption .
this search could perhaps do the trick as well:
index=_internal source=*license_usage.log type=Usage h=yourhost | stats sum(b) AS bytes by st | eval MB= round(bytes/1024/1024,3) | fields st MB | rename st as Sourcetype | sort -MB
Without downloading an app here is a search that should help:
index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | eval host=h | bin _time span=1d | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024) | fields _time, indexname, sourcetypename, host, GB | stats sum(GB) as GB by indexname, sourcetypename, host | search indexname=* sourcetypename=* host=*
You can use the last pipe to filter what you want to see. One thing to be aware of is host/source reporting can sometimes get squashed and you may see blank values for hosts/sources at that granularity. This thread explains squashing pretty well: https://answers.splunk.com/answers/48542/blank-h-and-s-in-license-usage-log.html.
There is a tunable setting in server.conf for this.
Your best bet is to simply calculate the total size of your access.log on the server over a few of your busiest days. This should give you a pretty close estimate of how much license it will consume per day.
ls -lah should give you the access.log size in human readable in nix.