hey, this is very simple there is a ready-made query for in Licensing » License Usage Reporting » Previous 30 days » split_by index
do open in search and customize the query only for one index
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" idx=<index_name> | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
so idx=<index_name> <index_name> is the name of the index that you want to find.
Also if you want to stick to your query then you can do the same for your query as well.
index=_internal source="*license_usage.log*" type=Usage idx=<index_name>
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
let me know if this helps!
... View more
