Solved: Re: LIcense Usage by Source Type

fmpa_isaac · ‎06-16-2016

Can someone help me include sourcetype to my search below? I am trying to run a report for the past 60 days and need it by Sourcetype or Host. However, I don't see sourcetype as a field to choose from. I know Splunk has a license usage report but I'm needing the data behind it and for the past 60 days.
Here is my search string.

index=_internal source=*license_usage.log* type=Usage | timechart span=1d sum(b) as bytes | eval GB = round(bytes/1024/1024/1024,2)

Thank you

javiergn · ‎06-16-2016

See if my answer here helps:

https://answers.splunk.com/answers/344834/how-to-get-a-license-report-with-sourcetypes-and-i.html

index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | eval sourcetypename = st
 | bin _time span=1d 
 | stats sum(b) as b by _time, pool, indexname, sourcetypename
 | eval GB=round(b/1024/1024/1024, 3)
 | fields _time, indexname, sourcetypename, GB

View solution in original post

yannK · ‎12-07-2018

Below is an example for the volume per sourcetype. The detail per sourcetype and index is always completed (no squash_threshold )
The fields are "st" for sourcetype, and "idx" for index.

We use the time bucket to do the sum per day, but you could do otherwise.
Keep in mind that the license-master reports the daily usage a midnight (timezone of the license-master), not necessarily in your timezone.

#by sourcetype
index=_internal source=*license_usage.log* type="Usage"
| bucket _time span=1d
| stats sum(b) As bytes by _time st

#by index
index=_internal source=*license_usage.log* type="Usage"
| bucket _time span=1d
| stats sum(b) As bytes by _time idx

If you are looking for a volume per host, the field to group by is "h", (or source with "s") but then you may encounter the issue of the squash_threshold. We recommend to do something like

# by host 
index=_internal source=*license_usage.log* type="Usage"
| bucket _time span=1d
| filnull h,s value="missing"  | stats sum(b) As bytes  by _time h 

#by source
index=_internal source=*license_usage.log* type="Usage"
| bucket _time span=1d
| filnull h,s value="missing"  | stats sum(b) As bytes  by _time s

merp96 · ‎05-18-2017

change sourcetype to "st" . The query works

index=_internal source="license_usage.log"
| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by st

ddrillic · ‎06-16-2016

This one works -

index=_internal source="*license_usage.log*"
| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by idx

If we change it to -

index=_internal source="*license_usage.log*"
| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by sourcetype

The sourcetype ends up to be splunkd.

javiergn · ‎06-16-2016

See if my answer here helps:

https://answers.splunk.com/answers/344834/how-to-get-a-license-report-with-sourcetypes-and-i.html

index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
 | eval sourcetypename = st
 | bin _time span=1d 
 | stats sum(b) as b by _time, pool, indexname, sourcetypename
 | eval GB=round(b/1024/1024/1024, 3)
 | fields _time, indexname, sourcetypename, GB

ctksplunkctk · ‎02-10-2020

Hi all,
If I want to gather the statistics day by day for seeing the trend of each type of data and for checking the usage of any new data on-board in the future.
How should I modify the query?

fmpa_isaac · ‎06-16-2016

Yes, thank you Javier.

LIcense Usage by Source Type

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation