Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to display daily license usa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm struggling to find out how to add an overlay or something that will display the daily license usage for specific indexes and the total daily license usage. I'd also like to add our current license volume as a horizontal line. Everything on one graph.
almost correct:
index=_internal source=*license_usage.log type=Usage
(idx=cust_1 OR idx=cust_l2 OR idx=cust_3OR idx=cust_4 OR idx=cust_5 OR idx=cust_6)
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "GB Used"
| appendcols [search index=_internal source=*license_usage.log type=Usage | timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used"]
another try:
index=_internal source=*license_usage.log type=Usage
(idx=cust_1 OR idx=cust_l2 OR idx=cust_3 OR idx=cust_4 OR idx=cust_5OR idx=cust_6)
| bucket _time span=1d
| stats sum(b) AS bytes by _time | eval GB = round(bytes/1024/1024/1024,2)
| appendcols [search index=_internal source=*license_usage.log type=Usage | bucket _time span=1d |stats sum(b) AS bytes by _time | eval GB1= round(bytes/1024/1024/1024,2)| eval limit = 500]
| table GB, GB1, limit
I'm not really sure it's the best way to do it, sure it lacks optimization 😕
Any idea to fix this? thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=_internal source=*license_usage.log type=Usage
| eval specific=if(idx="cust_1" OR idx="cust_l2" OR idx="cust_3" OR idx="cust_4" OR idx="cust_5" OR idx="cust_6",b,0)
| timechart span=1d eval(round(sum(specific)/1024/1024/1024,2)) AS "GB Used" eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used"
To add Current license quota, you can add following portion to the end of above search. Please note that below query requires access to license server instance, so you would need to add your license server instance as search peer to your search heads (where you'll run this)
..above search ..| eval "License Quota"=[| rest /services/licenser/licenses | search group_id="Enterprise" status="VALID" | stats sum(quota) as query | eval query=(query/1024/1024/1024)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=_internal source=*license_usage.log type=Usage
| eval specific=if(idx="cust_1" OR idx="cust_l2" OR idx="cust_3" OR idx="cust_4" OR idx="cust_5" OR idx="cust_6",b,0)
| timechart span=1d eval(round(sum(specific)/1024/1024/1024,2)) AS "GB Used" eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used"
To add Current license quota, you can add following portion to the end of above search. Please note that below query requires access to license server instance, so you would need to add your license server instance as search peer to your search heads (where you'll run this)
..above search ..| eval "License Quota"=[| rest /services/licenser/licenses | search group_id="Enterprise" status="VALID" | stats sum(quota) as query | eval query=(query/1024/1024/1024)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice it works like a charm thanks!
However I have only values for the last 30 days on my _internal index, is it normal?
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
