License Usage by Index per Day

The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period.

 

Updated / Revised – 8/12/2016

Share This:

Comments

  1. Samthegeek

    index=_internal source=*license_usage.log type=”Usage” splunk_server=* earliest=-1w@d | eval Date=strftime(_time, “%Y/%m/%d”) | eventstats sum(b) as volume by idx, Date | eval GB=round(volume/1024/1024,5)| timechart first(GB) AS volume by idx

    I tried to modify this search to use GB (gigabyte instead of MB megabyte) but the numbers did not change so I am guessing I missed something. I am using a last 7 day window for the search. Can someone please point me in the right direction. thanks.

    1. SplunkNinja

      Samthegeek,
      You’ll want to add in the additional math for GB.
      | eval MB=round(volume/1024/1024,5)
      | eval MB=round(volume/1024/1024/1024,5)

      As you can see above you simply divide by another 1024 to go from MB to GB.

      Thanks!

  2. Speed Racer

    Thx for the great search. You mentioned that the search will also output an average for each index over the course of the given time period, but I’m not seeing an average after the search completes.

    Thx

    1. SplunkNinja

      Speed Racer,
      Good catch. I think an earlier version of this did have an average but was removed for some reason.

      You’d want to use something like this below but alter it as needed:
      index=_internal source=*license_usage.log type=”Usage” splunk_server=*
      | eval Date=strftime(_time, “%Y/%m/%d”)
      | streamstats sum(b) as volume
      | eval MB=round(volume/1024/1024,5)
      | timechart span=1w avg(MB) by idx

  3. AzJimbo

    Bummer – this doesn’t work with my dev license. So I built a workaround. I can get daily usage, but not over time. So this runs every night just before the data rolls over and is lost:
    59 22 * * * Sooner or later I’ll have to add a data roll off to the csv based on date collected.

    |inputlookup license_tracking.csv append=true
    |append
    [| rest splunk_server=local /services/licenser/pools
    | rename title AS Pool
    | search
    [ rest splunk_server=local /services/licenser/groups
    | search is_active=1
    | eval stack_id=stack_ids
    | fields stack_id]
    | eval quota=if(isnull(effective_quota),quota,effective_quota)
    | eval “Used”=round(used_bytes/1024/1024/1024, 3)
    | eval “Quota”=round(quota/1024/1024/1024, 3)
    | eval “% used”=round(used_bytes/quota*100,2)
    | fields Pool “Used” “% used” “Quota”
    |eval dtger=(now())
    |eval dtgr=strftime(dtger, “%Y-%m-%d %H:%M:%S”)
    ]
    |table dtger dtgr Pool “Used” “% used” “Quota”
    |outputlookup license_tracking.csv

Leave A Comment?