Splunk Search

Query for monthly usage of index

rickdi
Engager

I am very new to Splunk I am trying to figure out how to do a query of monthly usage of index of Splunk.

I have tried several different queries but I am not getting any results back. The person who set it up does ave the app SOS installed.

Any help would be much appreciated.

Tags (2)

rickdi
Engager

Thank you so much I will try these out.

0 Karma

hexx
Splunk Employee
Splunk Employee

If you are running Splunk Enterprise 6.0 or higher, you will find that we ship a built-in License Usage Report view which, when consulted from your license master, allows to report on daily license usage per index out of the box.

Note that most of the searches behind the "Last 30 days" tab of this view are powered by a "datacube" search that can be accelerated on demand to ensure that the panels grouping daily license usage by index, source, sourcetype and host load fast.

Finally, as @somesoni2 mentions if you are still running Splunk Enterprise 5.x, you will find a copy of the same view in S.o.S titled "License Usage - Last 30 Days".

cpetterborg
SplunkTrust
SplunkTrust

You are probably going to want to do a Summary Index search so that your searches are quicker if you have lots of data. I do a summary search every day at about 5AM for the previous day using the following search:

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | stats sum(b) as b by idx | eval GB=(b/1024/1024/1024) | sort -GB | fields - b

I use an additional value in the summary table of report_type=daily_usage so that it will be unique.

Then the query to do a roll-up of a month of data, you can use something like:

index=summary report_type=daily_usage | stats sum(GB) as total by idx | eventstats sum(total) as GrandTotal | eval percent=round(total/GrandTotal*100,1) | sort -total

This should get you a report of the total of each index by month. We do this because we have separate indexes for different departments and are doing a show-back (instead of a charge-back) of their Splunk usage.

somesoni2
Revered Legend

By usage of index you mean data indexed in Splunk?? If yes, then you can see the license usage in SoS here.

http://yoursplunkserverURL/en-US/app/sos/license_usage_30days

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...