Security

Group indexes together for License Usage

JScordo
Path Finder

All,
I have a bunch of different indexes, each one belonging to one of three teams. How do i create a report that will group each of the teams index usage together?

Team 1 uses:
IndexA, IndexB, IndexC

Team2 uses:
IndexD, IndexE, IndexF

Team3 uses:
IndexG, IndexH

My report currently gives me a breakdown of usage per index, but i want to group the indexes so instead of a value per index, i can get a value per team.

Current Search:
index=_internal source=*license_usage.log type=Usage | rename idx AS index | timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by index useother=f

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Hey @JScordo,

You can use eval's case function to make a "team indicator field" like so:

index=_internal source=*license_usage.log type=Usage 
| rename idx AS index 
| eval team = case(match(index, "A|B|C"), 1, match(index, "D|E|F"), 2, match(index, "G|H"), 3)
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by team useother=f

Whatever you put in the "A|B|C" portions should be regular expressions which match the index name you're looking for.

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

Hey @JScordo,

You can use eval's case function to make a "team indicator field" like so:

index=_internal source=*license_usage.log type=Usage 
| rename idx AS index 
| eval team = case(match(index, "A|B|C"), 1, match(index, "D|E|F"), 2, match(index, "G|H"), 3)
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by team useother=f

Whatever you put in the "A|B|C" portions should be regular expressions which match the index name you're looking for.

View solution in original post

craigv_splunk
Splunk Employee
Splunk Employee

Perhaps use a lookup table. Use the lookup functionality to add the team field to the events and then search based on that.

You'd need a table:
Index | Team
IndexA|Team1
IndexB|Team1
IndexC|Team1
IndexD|Team2
etc

Then you'll want to add the lookup command to your search to pull in the additional team field.
For more info on this see: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Lookup

0 Karma

somesoni2
Revered Legend

Try like this

index=_internal source=*license_usage.log type=Usage  idx="IndexA" OR idx="IndexB" OR idx="IndexC" OR idx="IndexD" OR idx="IndexE" OR idx="IndexF"OR idx="IndexF" OR  idx="IndexH"
| eval Team=case(idx="IndexA" OR idx="IndexB" OR idx="IndexC","Team1", idx="IndexD" OR idx="IndexE" OR idx="IndexF","Team2", idx="IndexF" OR  idx="IndexH","Team3")  | timechart span=1d sum(b) by Team | foreach * [eval "<<FIELD>>=round('<<FIELD>>'/1024/1024/1024,2)]
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!