License Usage by Index per Day

The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period.


Updated / Revised – 8/12/2016

  1. Samthegeek

    index=_internal source=*license_usage.log type=”Usage” splunk_server=* earliest=-1w@d | eval Date=strftime(_time, “%Y/%m/%d”) | eventstats sum(b) as volume by idx, Date | eval GB=round(volume/1024/1024,5)| timechart first(GB) AS volume by idx

    I tried to modify this search to use GB (gigabyte instead of MB megabyte) but the numbers did not change so I am guessing I missed something. I am using a last 7 day window for the search. Can someone please point me in the right direction. thanks.

    1. SplunkNinja

      You’ll want to add in the additional math for GB.
      | eval MB=round(volume/1024/1024,5)
      | eval MB=round(volume/1024/1024/1024,5)

      As you can see above you simply divide by another 1024 to go from MB to GB.


  2. Speed Racer

    Thx for the great search. You mentioned that the search will also output an average for each index over the course of the given time period, but I’m not seeing an average after the search completes.


    1. SplunkNinja

      Speed Racer,
      Good catch. I think an earlier version of this did have an average but was removed for some reason.

      You’d want to use something like this below but alter it as needed:
      index=_internal source=*license_usage.log type=”Usage” splunk_server=*
      | eval Date=strftime(_time, “%Y/%m/%d”)
      | streamstats sum(b) as volume
      | eval MB=round(volume/1024/1024,5)
      | timechart span=1w avg(MB) by idx

