Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate the license usage for specific sourcetype

kteng2024
Path Finder
‎08-19-2017 10:25 AM

Can i please know how to calculate license usage of a particular sourcetype from a specific host before indexing ? For example , i have host "webapp01" having a sourcetype "access_log" but i would like to calculate how much data this sourcetype is sending to splunk before indexing to understand license consumption .

0 Karma
Reply

preotesoiu
Path Finder
‎08-21-2017 08:54 AM

this search could perhaps do the trick as well:
index=_internal source=*license_usage.log type=Usage h=yourhost | stats sum(b) AS bytes by st | eval MB= round(bytes/1024/1024,3) | fields st MB | rename st as Sourcetype | sort -MB

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-21-2017 06:58 AM

Without downloading an app here is a search that should help:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | eval host=h | bin _time span=1d    | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | fields _time, indexname, sourcetypename, host, GB |  stats sum(GB) as GB by indexname, sourcetypename, host | search indexname=* sourcetypename=* host=*

You can use the last pipe to filter what you want to see. One thing to be aware of is host/source reporting can sometimes get squashed and you may see blank values for hosts/sources at that granularity. This thread explains squashing pretty well: https://answers.splunk.com/answers/48542/blank-h-and-s-in-license-usage-log.html.

There is a tunable setting in server.conf for this.

0 Karma
Reply

kteng2024
Path Finder
‎08-21-2017 11:38 AM

Thank you for the reply. But i would like to know how data is that sourcetype sending to splunk before indexing .

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-19-2017 12:18 PM

hi kteng2024!

Your best bet is to simply calculate the total size of your access.log on the server over a few of your busiest days. This should give you a pretty close estimate of how much license it will consume per day.

ls -lah should give you the access.log size in human readable in nix.

- MattyMo
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-21-2017 08:57 AM

I stick by this answer seeing as you asked PRE-INDEX. After indexing my vote goes to meta woot app FOR SURE!

- MattyMo
0 Karma
Reply

muralikoppula
Communicator
‎08-19-2017 11:07 AM

Try this app
https://splunkbase.splunk.com/app/2949/

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top