index=_internal source=*license_usage.log type=Usage h= | stats sum(b) as bytes by h | eval usagePercent=bytes/( 50 *1024*1024*1024)*100 | where usagePercent>5
This search would output the hosts in the range using more than 5 % of the 50 GB license for the selected time range. You'd have to customize this search (ie. change 50 to the actual licensed volume and set the threshold).
Also, this search assumes the host values in splunk to be IP addresses. You'd have to add reverse DNS resolution if this isn't the case.
index=_internal source=*license_usage.log type=Usage | lookup dnslookup clienthost as h OUTPUT clientip as ip | eval h=coalesce(ip,h) | search h= | stats sum(b) as bytes by h | eval usagePercent=bytes/( 50 *1024*1024*1024)*100 | where usagePercent>5
... View more