Splunk Search

How to find license usage based on the all the indexes

whitewolf332512
New Member

When I run the below search I can see 94 indexes available.

| eventcount summarize=false index=* index=_*| dedup index | fields index

But when I run the below search to check the license usage based on an index , I only get license usage details for 11 indexes.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="*" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

How do I find the license usage for all the available indexes?

0 Karma
1 Solution

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @whitewolf332512,
at first, as hinted by @cmerriman, use limit=0 in your timechart to avoid that your search displays only the first 10 indexes.

Then, in you search you have also Splunk internal indexes (_*) that don't consume license and aren't in the license consunption search.

At the end, probably you have indexes that didn't receive events in the last 30 days that's the time period of the license consuption search.
You can easily check this using the Splunk Monitor Console App, where there's a dashboard displaying all the information about indexes, in which there's also te last events in index [Settings -- Monitor Console -- Indexing -- Indexes and Volumes -- Index Detail: Instance].

Ciao.
Giuseppe

0 Karma

cmerriman
Super Champion

in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.

0 Karma

whitewolf332512
New Member

I added limit=0 into the timechart and as you had said the index count increased from 11 to 26 but still it is not showing for all the indexes.

I'm trying to export the license usage data for all the indexes into an excel file.

So that is why I'm looking for a query by which I can collect the data for all the indexes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...