Splunk Search
Highlighted

How to generate a search to compare license usage for an index?

Champion

Hi,

We want to track our Top N users of license by index, and then compare it to yesterday (and possibly alert on major changes). Not sure how to do that... any suggestions?

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Motivator

Hi A212830,

This query worked for me. It doesn't compare to yesterday but you could easily do that with the timewrap app.

index=_internal source="*license_usage.log*"|where idx!="NULL"| timechart limit=0 span=1d sum(eval(round(b/1024/1024/1024,5))) by idx
0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Motivator

Whups sorry that doesn't do the user part. Lemme dig on that

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

If you can track indexing by hosts instead of user, then you can use the built-in usage data with the following:

index=_internal source=*license_usage.log* type="Usage" idx=<YOUR_INDEX> 
| timechart span=1d limit=0 eval(round(sum(b)/1024/1024,3)) as MB by h

If you need to track indexing by user, then you would have to look at the raw data lengths.

index=<YOUR_INDEX>
| timechart span=1d limit=0 sum(eval(len(_raw)/1024/1024)) by <USER_FIELD>

Without getting into worrying about days of the week and patterns of behavior, you can then compare between days with the following, where you will see where there is a 50% change in volume

 | untable _time user mb
 | streamstats window=1 current=f last(mb) as prev_mb by user
 | eval perc_diff = (abs(prev_mb - mb)/mb)*100
 | search perc > 50 prev_mb > 0
0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

Sorry, user has nothing to do with, I want by index. We'll associate the index to a bu internally via dbx.

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

Can you please clarify what you mean in your original post by "Top N users by index"? What do you mean "users"?

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

Just topn index by volume. We'll associate the index name internally with a bu.

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

Ok then, how about his? Your "N" can be set by changing the value "limit=N" in the timechart command.

index=_internal source=*license_usage.log* type="Usage"
| timechart span=1d limit=10 eval(round(sum(b)/1024/1024,3)) as mb by idx
| untable _time idx mb
| streamstats window=1 current=f last(mb) as prev_mb by idx
|eval perc_diff = (abs(prev_mb - mb)/mb)*100
| eval marker = if(perc > 50 AND prev_mb > 0, 1, 0)
0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Champion

That query should give you the field marker the day when a given index changed by 50% percent or more as compared to the previous day. You could overlay that information with a chart show the daily totals, or you could filter down to just that field and setup alerts.

0 Karma
Highlighted

Re: How to generate a search to compare license usage for an index?

Explorer

To see how much each source is putting through, try this search- change the sourcetype as needed.

sourcetype=WinEventLog:*
| fields raw, _time, host
| eval evt
bytes = len(raw)
| timechart span=1d sum(eval(evt
bytes/1024/1024)) AS TotalMB by host

To see how big your indexes are, try this search:

| rest /services/data/indexes | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc

0 Karma