Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my license usage search by app not showing information for all apps in my environment?

sunnyparmar
Communicator
‎02-04-2016 01:35 AM

Hi,

I have a search mentioned below to see license usage per app, but the issue I am facing is, if I run the search without this portion ( | chart sum(GB) by app_name) at the end, then it gives the license usage for all apps with their indexes and sourcetypes respectively. However, if I exclude it from the end, then it is not showing license usage for all the apps. Kindly suggest for this. 

index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)  | eval sourcetypename = st  | bin _time span=1d  | stats sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=round(b/1024/1024/1024, 3)| fields _time, indexname, sourcetypename, GB |  join sourcetypename [       | rest /services/saved/sourcetypes       | fields title, "eai:acl.app"       | rename title AS sourcetypename, "eai:acl.app" AS app_name  ] | chart sum(GB) by app_name

Thanks

0 Karma
Reply

renjith_nair
Legend
‎02-07-2016 03:03 AM

You have mentioned before, the result of the below search is missing the three app names. Then what you mean by "Yes" to the question " Are those three apps coming as part of original detailed search?" . Sorry just trying to understand the problem.

 index=_internal source="*license_usage.log" type="Usage" 
   | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | bin _time span=1d 
   | stats sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=round(b/1024/1024/1024, 3)
   | fields _time, indexname, sourcetypename, GB 
   | join sourcetypename [ | rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetypename, "eai:acl.app" AS app_name ]|table app_name|dedup app_name

If you are not getting those three apps as part of this search, then it could be your join is eliminating the apps (few sourcetypes missing from any of the two searches)
Try this again and see if you have any "Not Found" in app name.

   index=_internal source="*license_usage.log" type="Usage" 
       | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | bin _time span=1d 
       | stats sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=round(b/1024/1024/1024, 3)
       | fields _time, indexname, sourcetypename, GB 
       | join sourcetypename type=outer [ | rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetypename, "eai:acl.app" AS app_name ]|eval app_name=coalesce(app_name,"Not Found" |stats count by app_name

If the above is also not working for youo then get one of the app from the missing three and then search for it in the results of original detailed search(the main search with join)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

sunnyparmar
Communicator
‎02-07-2016 05:08 AM

sorry .. took your first question in wrong meaning. First question answer is "no". those three apps are not the part of original detailed search as i was mentioned earlier. By executing your above given query i am getting the error message below -

"Error in 'eval' command: The expression is malformed. Expected ). "

Thanks

0 Karma
Reply

renjith_nair
Legend
‎02-07-2016 06:54 AM

no problem. I missed a ")" in eval . just replace it with|eval app_name=coalesce(app_name,"Not Found")|stats count by app_name

OK so if it's not in your detailed search, it's not the problem with stats. Now we need to look at the join command. It's possible that the sourcetypes from your missing 'three' apps might not be sending the data and hence the sourcetype is not matching in "join" . Get the sourcetypes from those missing apps and see if it's sending any data.

Hope now you will be able to identify the reason.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

sunnyparmar
Communicator
‎02-07-2016 11:24 PM

By using below parameter i am able to enlisted all the apps in the result but when i am going to replace it with my final search query parameter (| rest /services/saved/sourcetypes ), it won't work. Do you have any idea on this?

| REST /services/apps/local splunk_server=local | table label

Thanks

0 Karma
Reply

sunnyparmar
Communicator
‎02-07-2016 10:14 PM

Thanks for the correction. Now i have start getting data in "Not found". The index and sourcetype i am getting is - 

 index                       sourcetype

qv-perfmon Perfmon:CPUTime

qv-perfmon Perfmon:FreeDiskSpace

qv-perfmon Perfmon:Memory

qv-winevents WinEventLog:Application

qv-winevents WinEventLog:Security

qv-winevents WinEventLog:System

Now the issue is that these are common sourcetypes as you know that while fetching logs for host health checks in splunk these are the common sourcetypes that we have to define in inputs.conf file so could you please tell me that how to overcome through this issue.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...