Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

show % increase over time

hartfoml
Motivator
‎08-29-2013 08:08 AM

I have a search that shows me the 90 day trend of my Splunk license use.

index="_internal" source="*metrics.log" per_index_thruput NOT series="*summary" | eval SLA=### |convert timeformat="%m/%d - %a" ctime(_time) AS kdate| stats sum(kb) as kb_indexed by kdate SLA | eval GB = round(kb_indexed/1024/1024,2)| sort date_mday | table kdate GB SLA | rename kdate as "Date" | trendline sma10(GB) as Trend

First is this a good evaluation of license use?

Second The trend is so slight that the % increase is less than 5%.

I would like to show the % increase over 90 days for the trend line on the same graph as the line graph

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎08-29-2013 11:38 AM

1) you need to make sure that index=_internal has all the data to create the 90 days report you need.

2) SLA is your Splunk license in GB. Example below shows SLA=502. It means 502GB per day.

3) splunk_server should be your master license server or the splunk instance that you would like to trend in case you do not have a master license server.

4) This query should do what you need:

splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-90d@d latest=@d | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) as GB | eval SLA=502|eval %_License_used=GB*100/SLA

Since there is not a summary index to make it faster you need to create one. This is another approach using a schedule search to populate a summary index that will allow you to trend the license usage by source type, host and total license usage in a daily basis:

1) Create an index to be used by the search presented next.

2) create a scheduled search to run daily. the query of the scheduled search is the following: 

splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-1d@d latest=@d | eval GB=b/1024/1024/1024  | stats sum(GB) as GB by h st|sort - GB

3) In the schedule search configuration select the index you created.

4) Then, back fill the summary index in case you need to.

5) Finally, You could use these queries to get trends by sourcetype, host and total license usage:

License usage trend:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |
timechart span=1d sum(GB) as GB |
eval License="502"|
eval Exceeded=if(License>GB,"0",GB-License)|
eval Date=strftime(_time, "%m/%d/%Y")|
table Date GB License Exceeded|
rename GB as "License Volume Used (GB)"|
rename Exceeded as "License Volume Exceeded by (GB)"|
rename License as "Max. License Volume (GB)"|sort - Date

Trend by source type:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |

timechart span=1d sum(GB) as GB by st

Trend by host:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |

timechart span=1d sum(GB) as GB by h

Thanks,
Lp

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎08-29-2013 11:38 AM

1) you need to make sure that index=_internal has all the data to create the 90 days report you need.

2) SLA is your Splunk license in GB. Example below shows SLA=502. It means 502GB per day.

3) splunk_server should be your master license server or the splunk instance that you would like to trend in case you do not have a master license server.

4) This query should do what you need:

splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-90d@d latest=@d | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) as GB | eval SLA=502|eval %_License_used=GB*100/SLA

Since there is not a summary index to make it faster you need to create one. This is another approach using a schedule search to populate a summary index that will allow you to trend the license usage by source type, host and total license usage in a daily basis:

1) Create an index to be used by the search presented next.

2) create a scheduled search to run daily. the query of the scheduled search is the following: 

splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-1d@d latest=@d | eval GB=b/1024/1024/1024  | stats sum(GB) as GB by h st|sort - GB

3) In the schedule search configuration select the index you created.

4) Then, back fill the summary index in case you need to.

5) Finally, You could use these queries to get trends by sourcetype, host and total license usage:

License usage trend:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |
timechart span=1d sum(GB) as GB |
eval License="502"|
eval Exceeded=if(License>GB,"0",GB-License)|
eval Date=strftime(_time, "%m/%d/%Y")|
table Date GB License Exceeded|
rename GB as "License Volume Used (GB)"|
rename Exceeded as "License Volume Exceeded by (GB)"|
rename License as "Max. License Volume (GB)"|sort - Date

Trend by source type:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |

timechart span=1d sum(GB) as GB by st

Trend by host:

index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index  |

timechart span=1d sum(GB) as GB by h

Thanks,
Lp

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎08-29-2013 11:53 AM

the math at the end of the search is simple and plan. I don't know who i didn't think of that. this is useful code thanks.

Only it takes too long to run. there has to be a summery index for license use somewhere that does not take so ling to run.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...