Is there a procedure or a search string to determine heavy hitter hostname based on operating system. We work on five different operating systems and would like to determine the usage based per os level.
Try the metrics.log. During each metrics dump (every 30 seconds), the "top X biggest Y" are written out. Where X is defaulted to ten (10), and Y is sourcetype, host, index, etc. The search string would read like:
index=_internal source=*metrics.log group=tcpin_connections | stats sum(kb) AS kb by os
You could also use the results from the os field in the tcpin_connections, to evaluate the OS while getting the accurate license usage from license_usage.log.