Splunk Search

Splunk license usage per sourcetype

iamlearner123
Explorer

Hello,

Is there a way to find out which sourcetype is sending too much of data to an index. i know an index but i would like to know why there is an increase in license to that specific index from yesterday to today and which sourcetype is sending too much of data from yesterday to today.

Any help would be appreciated.

0 Karma

mayurr98
Super Champion

hey @iamlearner123

you are asking something which is already provided by splunk itself.
On the license Master go to Licensing » License Usage Reporting » Previous 30 days » Split by Sourcetype

The very first panel will be your answer. open in search and get the query.
The query is

index=_internal 
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by st fixedrange=false 
| join type=outer _time 
    [ search index=_internal 
        [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | stats latest(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach * 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Modify the time period as per your requirement.
let me know if this helps!

0 Karma

ddrillic
Ultra Champion
0 Karma

tiagofbmm
Influencer

Hello.

Please try the following search:

index=_internal host=cld* source=*license_usage.log type=Usage earliest=@d
   | eval MB = b/1024/1024
   | rename st AS sourcetype
   | timechart span=1d sum(MB) AS "Total MB used" by sourcetype
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...