Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Which applications are ingesting more data and violating the license?

blbr123
Path Finder
‎02-08-2022 07:04 AM

Hi All,

I would like to know which applications are ingesting more data and violating the license. 

I tried the below query but I am not sure if it gives correct results.

index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval MB=round(volume/1024/1024,5)
| timechart span=1w avg(MB) by idx 

 

index=_internal source=*license_usage.log type=Usage 
| stats sum(b) as bytes by h 
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host

 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-08-2022 11:11 PM

Hi

it should be "host=<your LM host>".

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-08-2022 07:14 AM

Hi @blbr123,

you already have this search in License consuption by index [Settings -- Licensing -- Usage Report -- Previous 60 days -- Split by index (or surcetype)].

Remember that anyway, you could have two problems:

  • usually retention on _internal is few days, so you could not have 60 days of logs,
  • you could have on the same index (or the same sourcetype) more applications.

Anyway, the search is:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

You have similar searches also in the Monitoring Console App or installing the License consuption App.

Ciao.

 

 

Reply
Solved! Jump to solution

blbr123
Path Finder
‎02-08-2022 03:15 PM

Why do we need to use set_local_host and what it does?

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-08-2022 11:11 PM

Hi

it should be "host=<your LM host>".

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...