I need to know the license usage of 5 indexes on a daily basis. All the options I have been trying gives me the license usage of all the indexes.
In the license usage logs there is a field called idx which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:
index=_internal source="*license_usage.log" | stats sum(b) by idx
If you wanted to know the total for the five indexes, simply search for these indexes before doing the sum:
index=_internal source="*license_usage.log" idx="index1" OR idx="index2 OR idx="index3" OR idx="index4" OR idx="index5" | stats sum(b)
Similarly, "h" is the host field in the license_usage logs.
In the license usage logs there is a field called idx which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:
index=_internal source="*license_usage.log" | stats sum(b) by idx
If you wanted to know the total for the five indexes, simply search for these indexes before doing the sum:
index=_internal source="*license_usage.log" idx="index1" OR idx="index2 OR idx="index3" OR idx="index4" OR idx="index5" | stats sum(b)
Similarly, "h" is the host field in the license_usage logs.
Thank you, !!! If I want to include host and index both on the same query. License usage for 5 indexes and 2 hosts on this query and the usage should be in GB on daily basis.