Hi Guys,
So we have smashed our license allowance the past few days, after trying to narrow down the increase via the normal methods, I seem to be going round in circles.
I have tried the Deployment Monitor app which does not seem to be displaying the last few days (which is not helpful)
I have tried using the license usage to break down the increase, but again this does not seem to show what I need.
I was wondering if someone could provide me with a search that will look at hosts over the last say 5 days and anything with a large increase over the same time the week before highlighting which hosts are potentially causing the issue.
Thanks in advance.
You should probably refactor this to use tstats
for speedup/efficiency but this should do it:
index=* earliest=-14d@d latest=now
| eval sevenDaySeconds = 60*60*24*7
| eval marker=if(relative_time(now(),"-7d@d")<_time,"This_week", "Last_week")
| eval _time =if(relative_time(now(),"-7d@d")<_time,_time, _time + sevenDaySeconds)
| eval bytes=len(_raw)
| chart sum(bytes) OVER host BY marker
| fillnull value=0 This_week Last_week
| eval deltaBytes = This_week - Last_week
| sort - deltaBytes
Give this a try
index=_internal sourcetype=splunkd source=*license_usage.log type=usage h!="" earliest=-7d@d | bucket span=1d _time | stats sum(b) as b by _time h | eval b=round(b/1024/1024,3) | eval Day="Day".tostring(round((relative_time(now(),"@d")-relative_time(_time,"@d"))/86400)) | chart sum(b) as b over h by Day | fillnull value=0
This will give you daily license usage for each host for last 7 days. You can add further comparison queries check when you got more percentage change. Something like this
above search | eval day0_inc=round((day0-day1)*100/day1,2) | where day0_inc>25
You should probably refactor this to use tstats
for speedup/efficiency but this should do it:
index=* earliest=-14d@d latest=now
| eval sevenDaySeconds = 60*60*24*7
| eval marker=if(relative_time(now(),"-7d@d")<_time,"This_week", "Last_week")
| eval _time =if(relative_time(now(),"-7d@d")<_time,_time, _time + sevenDaySeconds)
| eval bytes=len(_raw)
| chart sum(bytes) OVER host BY marker
| fillnull value=0 This_week Last_week
| eval deltaBytes = This_week - Last_week
| sort - deltaBytes
Thanks for the replys guys that's been a real help, thanks so much 🙂
If you're running Splunk 6.3 or later, use the DMC to view your license usage (under Indexing->Licensing). If you're running an older version of Splunk, the Splunk On Splunk (SOS) app will show the same information.