Following some runaway license violations, I am looking to find the offending host but in running the queries that I have, I am finding that the total "host usage" is far more than the "license usage".
I am using the following to show the usage per host:
index="_internal" source="*metrics.log" group="per_host_thruput" | eval mb = (round(kb,0)/1024) |chart sum(mb) by series | sort - sum(mb)
I am using the following to find the usage against the license:
index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool