Splunk Search

How to find license usage based on the all the indexes

whitewolf332512
New Member

When I run the below search I can see 94 indexes available.

| eventcount summarize=false index=* index=_*| dedup index | fields index

But when I run the below search to check the license usage based on an index , I only get license usage details for 11 indexes.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="*" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

How do I find the license usage for all the available indexes?

0 Karma
1 Solution

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @whitewolf332512,
at first, as hinted by @cmerriman, use limit=0 in your timechart to avoid that your search displays only the first 10 indexes.

Then, in you search you have also Splunk internal indexes (_*) that don't consume license and aren't in the license consunption search.

At the end, probably you have indexes that didn't receive events in the last 30 days that's the time period of the license consuption search.
You can easily check this using the Splunk Monitor Console App, where there's a dashboard displaying all the information about indexes, in which there's also te last events in index [Settings -- Monitor Console -- Indexing -- Indexes and Volumes -- Index Detail: Instance].

Ciao.
Giuseppe

0 Karma

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

0 Karma

whitewolf332512
New Member

I added limit=0 into the timechart and as you had said the index count increased from 11 to 26 but still it is not showing for all the indexes.

I'm trying to export the license usage data for all the indexes into an excel file.

So that is why I'm looking for a query by which I can collect the data for all the indexes.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...