Splunk Search

Which applications are ingesting more data and violating the license?

blbr123
Path Finder

Hi All,

I would like to know which applications are ingesting more data and violating the license. 

I tried the below query but I am not sure if it gives correct results.

index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval MB=round(volume/1024/1024,5)
| timechart span=1w avg(MB) by idx 

 

index=_internal source=*license_usage.log type=Usage 
| stats sum(b) as bytes by h 
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host

 

 

 

 

 

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

it should be "host=<your LM host>".

r. Ismo

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @blbr123,

you already have this search in License consuption by index [Settings -- Licensing -- Usage Report -- Previous 60 days -- Split by index (or surcetype)].

Remember that anyway, you could have two problems:

  • usually retention on _internal is few days, so you could not have 60 days of logs,
  • you could have on the same index (or the same sourcetype) more applications.

Anyway, the search is:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

You have similar searches also in the Monitoring Console App or installing the License consuption App.

Ciao.

 

 

blbr123
Path Finder

Why do we need to use set_local_host and what it does?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

it should be "host=<your LM host>".

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...