Reporting

Billing report per host in splunk

deejay1
Explorer

Is there any chance to generate billing reports in splunk?
We can see in deployment monitor charts - license usage per index, per host and so on, but is it possible to generate in easy way document (f. e. excel) with informations: how much percent of license / license cost every host is consuming? (Not only top hosts, for all of them).

Thank you very much for reply, Kind regards,

Tags (2)
0 Karma

lguinn2
Legend

I don't know why you aren't seeing a host name. But you can try this variation, which will show the host sourcetype and source. Perhaps that will give you more information about what is going on. And there isn't any intermediary summary by sourcetype that I know of...

index="_internal" source="*license_usage.log" | eval lastReceived = _time | 
rename h as host b as bytes st as sourcetype s as source | 
stats sum(bytes) as bytes max(lastReceived) as lastReceived by host sourcetype source| 
eval mbytes=((bytes/1024)/1024) | 
fields host sourcetype source mbytes lastReceived | 
stats max(lastReceived) as lastReceived sum(mbytes) as MBytes by host sourcetype source| 
fieldformat lastReceived = strftime(lastReceived, "%a %F %T") | 
eventstats sum(MBytes) as totalMB | 
eval percent = round(100*MBytes/totalMB,2) | fields - totalMB

deejay1
Explorer

We have changed $SPLUNK_HOME/etc/system/local/inputs.conf and we are sure, that there are hostnames.
But still host, that is consuming more than 90% of lciense, is an empty host.
Also in deployment monitor.

do you have any idea?

0 Karma

lguinn2
Legend

Well, you could start with this search:

index="_internal" source="*license_usage.log" | eval lastReceived = _time | 
rename h as host b as bytes | 
stats sum(bytes) as bytes max(lastReceived) as lastReceived by host | 
eval mbytes=((bytes/1024)/1024) | 
fields host mbytes lastReceived | 
stats max(lastReceived) as lastReceived sum(mbytes) as MBytes by host | 
fieldformat lastReceived = strftime(lastReceived, "%a %F %T") | 
eventstats sum(MBytes) as totalMB | 
eval percent = round(100*MBytes/totalMB,2) | fields - totalMB

and export it to a .csv file. Once you open the file in Excel, you could add in a column to calculate the price. This search only calculates the license usage by host with a percentage.

deejay1
Explorer

Hmm, aren't the records with an ampety host some kind of intermediary summary per sourcetype? I can't find anything in our deployment apps which would result in an empty host, although we'll check it on the servers themselves during the week.

0 Karma

lguinn2
Legend

Hmm, I would look in $SPLUNK_HOME/etc/system/local/inputs.conf on each host/forwarder. There is a line in the file that defines the default host name for data originating on that host. Look for host= but no value supplied.

Also, if it is happening to only part of the data from a host, you may have a stanza in inputs.conf or props.conf that simply says host= . You will want to fix this quick!

0 Karma

deejay1
Explorer

Thank you very much! I've just started to build report and I think this is what I need:)
I have another question - have you any idea, why main license-consuming host is.. blank?

Also in deployment monitor there was this host with blank hostname.

Thank you for an answer!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...