Splunk Search

How to find license usage based on the all the indexes

whitewolf332512
New Member

When I run the below search I can see 94 indexes available.

| eventcount summarize=false index=* index=_*| dedup index | fields index

But when I run the below search to check the license usage based on an index , I only get license usage details for 11 indexes.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="*" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

How do I find the license usage for all the available indexes?

0 Karma
1 Solution

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

View solution in original post

0 Karma

gcusello
Legend

HI @whitewolf332512,
at first, as hinted by @cmerriman, use limit=0 in your timechart to avoid that your search displays only the first 10 indexes.

Then, in you search you have also Splunk internal indexes (_*) that don't consume license and aren't in the license consunption search.

At the end, probably you have indexes that didn't receive events in the last 30 days that's the time period of the license consuption search.
You can easily check this using the Splunk Monitor Console App, where there's a dashboard displaying all the information about indexes, in which there's also te last events in index [Settings -- Monitor Console -- Indexing -- Indexes and Volumes -- Index Detail: Instance].

Ciao.
Giuseppe

0 Karma

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

0 Karma

whitewolf332512
New Member

I added limit=0 into the timechart and as you had said the index count increased from 11 to 26 but still it is not showing for all the indexes.

I'm trying to export the license usage data for all the indexes into an excel file.

So that is why I'm looking for a query by which I can collect the data for all the indexes.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...