Hi ,
Please try the below one,
index=_internal source=*license_usage.log type=Usage
| stats sum(b) as bytes by h
| eval MB = round(bytes/1024/1024,1)
| fields h MB
| rename h as host
Hi duanehare,
run this search, which is basically the same from the license usage report but with added useother=f usenull=f
so you no longer have the OTHER
group in the time chart:
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | join _time pool type=outer [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS stacksz by slave, pool, _time | stats max(stacksz) AS stacksz by _time, pool] | stats sum(b) AS bytes_used max(stacksz) AS stacksz by h, _time | timechart span=1d max(eval(round(bytes_used/stacksz*100,2))) by h fixedrange=false useother=f usenull=f
Hope this helps ...
cheers, MuS
I ran this query and it returned 0 events. Suggestions?
do you have access to index=_internal
? run this search:
index=_internal host=indexer source=*license_usage.log type="Usage"
The above search is the one from the License Usage Report, just added the useother=f usenull=f
options....
ahh just found the error 🙂 remove host=indexer
from the search !
Just updated the answer and the search