Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the license usage for specific sourcetype

kteng2024
Path Finder
‎08-19-2017 10:25 AM

Can i please know how to calculate license usage of a particular sourcetype from a specific host before indexing ? For example , i have host "webapp01" having a sourcetype "access_log" but i would like to calculate how much data this sourcetype is sending to splunk before indexing to understand license consumption .

0 Karma
Reply

preotesoiu
Path Finder
‎08-21-2017 08:54 AM

this search could perhaps do the trick as well:
index=_internal source=*license_usage.log type=Usage h=yourhost | stats sum(b) AS bytes by st | eval MB= round(bytes/1024/1024,3) | fields st MB | rename st as Sourcetype | sort -MB

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-21-2017 06:58 AM

Without downloading an app here is a search that should help:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | eval host=h | bin _time span=1d    | stats sum(b) as b by _time, host, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | fields _time, indexname, sourcetypename, host, GB |  stats sum(GB) as GB by indexname, sourcetypename, host | search indexname=* sourcetypename=* host=*

You can use the last pipe to filter what you want to see. One thing to be aware of is host/source reporting can sometimes get squashed and you may see blank values for hosts/sources at that granularity. This thread explains squashing pretty well: https://answers.splunk.com/answers/48542/blank-h-and-s-in-license-usage-log.html.

There is a tunable setting in server.conf for this.

0 Karma
Reply

kteng2024
Path Finder
‎08-21-2017 11:38 AM

Thank you for the reply. But i would like to know how data is that sourcetype sending to splunk before indexing .

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-19-2017 12:18 PM

hi kteng2024!

Your best bet is to simply calculate the total size of your access.log on the server over a few of your busiest days. This should give you a pretty close estimate of how much license it will consume per day.

ls -lah should give you the access.log size in human readable in nix.

- MattyMo
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-21-2017 08:57 AM

I stick by this answer seeing as you asked PRE-INDEX. After indexing my vote goes to meta woot app FOR SURE!

- MattyMo
0 Karma
Reply

muralikoppula
Communicator
‎08-19-2017 11:07 AM

Try this app
https://splunkbase.splunk.com/app/2949/

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...