- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find license usage based on the all the ind...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I run the below search I can see 94 indexes available.
| eventcount summarize=false index=* index=_*| dedup index | fields index
But when I run the below search to check the license usage based on an index , I only get license usage details for 11 indexes.
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="*" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
How do I find the license usage for all the available indexes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @whitewolf332512,
at first, as hinted by @cmerriman, use limit=0 in your timechart to avoid that your search displays only the first 10 indexes.
Then, in you search you have also Splunk internal indexes (_*) that don't consume license and aren't in the license consunption search.
At the end, probably you have indexes that didn't receive events in the last 30 days that's the time period of the license consuption search.
You can easily check this using the Splunk Monitor Console App, where there's a dashboard displaying all the information about indexes, in which there's also te last events in index [Settings -- Monitor Console -- Indexing -- Indexes and Volumes -- Index Detail: Instance].
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in your timechart, add limit=0 if you want to display them all. However, your results might get truncated due to so many indexes, depends on how you're trying to display the data. charting commands limit to 10 plus "OTHER"/"NULL" fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added limit=0 into the timechart and as you had said the index count increased from 11 to 26 but still it is not showing for all the indexes.
I'm trying to export the license usage data for all the indexes into an excel file.
So that is why I'm looking for a query by which I can collect the data for all the indexes.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
