@nickhills 

Thank you. I have changed the ratio to 1 in the query post which I can see the exact License consumption size in GB for EventCode=4688. 

Thanks for your help.

So when i searched using the following query for Last 4 Days.

index=wineventlog sourcetype=winlog EventCode=4688
| eval bytes=len(_raw)
| timechart avg(bytes) as avg_bytes count span=1d
| eval ratio=10000
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024

I can see that the data has been split up into following fields but when i checked the consumption in GB it states some irrelevant value since we have opted for 150 GB of overall licensing per day. But here in this case the 5093.016298 GB value seems to be odd.

Not sure what is the mistake which i have done. So is there any possibility to pull the license usage for the EventCode=4688 in GB for last 30 days.

You set ratio=10000 in your search. Did you follow @nickhills  advice and select the corresponding sampling ratio when running the search (it doesn't look like you did, hence the 10000x consumption numbers):

Thank you for your swift response.

I  believe that we can able to calculate the license usage in GB per day based on the internal logs. So I used the following query and I can able to see the license usage in GB for the specific sourcetype "winlog"

index="_internal" source="*license_usage.log" type=Usage st=winlog | bin _time span=1d | stats sum(b) AS bytes by _time,st | eval DailyGB=round (bytes/1024/1024/1024, 3) | timechart sum(DailyGB) by st span=1d limit=0 |sort - _time

So how to modify the same query i.e. I want to additionally include the EventCode=4688 so that it will calculate and pull the exact license usage for the sourcetype=winlog & EventCode=4688.

So kindly help with the query.

Also when i ran the query which you have provided for last 7 days.

index=wineventlog sourcetype=winlog EventCode=4688 earliest=-24h latest=now
| eval bytes=len(_raw)
| stats avg(bytes) as avg_bytes count
| eval ratio=x
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024

I can see two fields in the stats avg_bytes and count.

But I want the daily license usage stats for the sourcetype=winlog EventCode=4688 for past 30 days.

So kindly help on the same.

I am looking to find out the license usage for particular dataset in events. Please let me know if any clue. 

index=aws sourcetype=aws accoutn=123456 

Hi @harishsplunk7 ,

I’m a Community Moderator in the Splunk Community. 
This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
 

Thank you!

1. Usually starting a new thread instead of digging up an old one (possibly posting a link to the old one for reference) yields bigger chance of getting reasonable results.

2. As you've already read, Splunk does measure only general license usage as well as split by index or sourcetype. But not much more. So you have to either count it yourself by measuring the aggregate data size (which can be very costly) or estimate it by sampling as showed in this thread.

3. License measurement might or might not make sense in context of datasets since datasets can be defined in various way. In general - datasets as such don't consume license. Only the events that dataset is based on have already consumed the license. But this is in no way an "exclusive count" - the same events can be used to for example Network Traffic and Network Sessions datamodels. So it's not really clear what you need.