Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query to find the license usage by a particular host or index on a daily basis

mintughosh
Path Finder
‎02-12-2017 01:56 PM

I need to know the license usage of 5 indexes on a daily basis. All the options I have been trying gives me the license usage of all the indexes.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lquinn
Contributor
‎02-12-2017 03:52 PM

In the license usage logs there is a field called idx which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:

index=_internal source="*license_usage.log" | stats sum(b) by idx

If you wanted to know the total for the five indexes, simply search for these indexes before doing the sum:

index=_internal source="*license_usage.log" idx="index1" OR idx="index2 OR idx="index3" OR idx="index4" OR idx="index5" | stats sum(b)

Similarly, "h" is the host field in the license_usage logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lquinn
Contributor
‎02-12-2017 03:52 PM

In the license usage logs there is a field called idx which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:

index=_internal source="*license_usage.log" | stats sum(b) by idx

If you wanted to know the total for the five indexes, simply search for these indexes before doing the sum:

index=_internal source="*license_usage.log" idx="index1" OR idx="index2 OR idx="index3" OR idx="index4" OR idx="index5" | stats sum(b)

Similarly, "h" is the host field in the license_usage logs.

0 Karma
Reply
Solved! Jump to solution

mintughosh
Path Finder
‎02-14-2017 09:52 PM

Thank you, !!! If I want to include host and index both on the same query. License usage for 5 indexes and 2 hosts on this query and the usage should be in GB on daily basis.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...