License Usage by Sourcetypes

_internal
SplunkNinja
3 Comments
You already voted!

The following Splunk query will return results for license usage by sourcetype:

index=_internal source="*license_usage.lo*" type=Usage | stats sum(b) as bytes by st | eval Megabytes=bytes/1048576 |eval Megabytes=round(Megabytes,2) | fieldformat Megabytes=tostring(Megabytes,"commas")| rename st as sourcetype | fields - bytes | sort - Megabytes

Comments

curiousSplunker October 11, 2017 at 3:13 pm

Do you happen to have a way to modify this search string to add totals and then show each sourcetype with its percentage of the whole?

Reply
1. SplunkNinja October 11, 2017 at 4:20 pm
  
  index=_internal source=”*license_usage.lo*” type=Usage
  | stats sum(b) as bytes by st
  | eval Megabytes=bytes/1048576
  | eval Megabytes=round(Megabytes,2)
  | rename st as sourcetype
  | fields – bytes
  | sort – Megabytes
  | eventstats sum(Megabytes) as totalMB
  | eval percent=100*(Megabytes/totalMB)
  
  Reply
  1. curiousSplunker October 12, 2017 at 9:24 am
    
    You rock friend! Thanks a bunch!
    
    Reply

Splunk Query Repository

License Usage by Sourcetypes

Comments

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

License Usage by Sourcetypes

Related Queries

Splunk License Consumption via _introspection

Original posted in 2015 Testing an issue with brackets

Indexes size and EPS

Comments

Leave A Comment? Click here to cancel reply.