Hello all,
I have a scenario where I need to make calculations regarding license consumed, per host. However, since in the license_usage log, host value was squashed and I can not fix it for past events.
My theory to calculate average license consumption per host is:
1 - Calculate license used per index, per day
index=_internal source="*license_usage.log" component=LicenseUsage type=usage (idx=set1_*)
| timechart useother=false limit=100 span=1d sum(b) by idx
| fillnull value=0
Output Example for daily license consumption:
| Date |
set1_index1 |
set1_index2 |
set1_index3 |
| 22-02-2022 |
345 |
354 |
343 |
| 21-02-2022 |
3463 |
3463 |
234 |
2 - Calculate the distinct number of hosts in each index, using tstats:
| tstats values(host) as hosts, dc(host) as total_hosts where (index=set1_*) by _time,index
| timechart useother=false limit=100 span=1d max(total_hosts) as "TotalHosts" by index
| fillnull value=0
Output Example for number of hosts per index:
| Date |
set1_index1 |
set1_index2 |
set1_index3 |
| 22-02-2022 |
2 |
6 |
4 |
| 21-02-2022 |
4 |
1 |
2 |
ISSUE: The name of the columns is not static. I can only use a prefix, defined in the index naming conventions.
Objective:
If I am able to divide the daily license consumption by the number of hosts, I have the average consumption per host.
Doe any of you can help me find how I made divide the values in the first query by the ones in the second query, geting a similar output to the table below?
| Date |
set1_index1 |
set1_index2 |
set1_index3 |
| 22-02-2022 |
172,5 |
59 |
85,75 |
| 21-02-2022 |
865,75 |
3463 |
117 |
Thanks in advance for your help on this issue.
