Installation

license usage by tcp source query

kobi_biton
New Member

Hi ,

I am trying to evaluate my license daily usage (In GB) per tcp source , is there a query that I can issue to get this number ? I have 2 tcp inputs, tcp:8183 , tcp:8182

Thanks!
Kobi

Tags (2)
0 Karma

MarioM
Motivator
index="_internal" source="*license_usage.log" (s="tcp:8182" OR s="tcp:8183") | rename s as source b as bytes | stats sum(bytes) as bytes by source |  eval Gbytes = bytes/1048576/1048576 | fields source Gbytes
0 Karma

MarioM
Motivator

Kobi if you are happy with the infos provided please accept the answer for those who might have same question.Thanks

0 Karma

MarioM
Motivator

normally intermediate forwarder send his metrics.log but license usage is all on the indexers

0 Karma

kobi_biton
New Member

yep in my case data will be discarded on the indexer level as my setup is : ufw --> Intermediate forwarder --> splunk indexer , I guess that the query should be run against the Intermediate forwarder ?

0 Karma

MarioM
Motivator

not sure about that can be empty but for forwarders you can use this search : index="_internal" source="*metrics.log" group=tcpin_connections | eval gb=kb/1024/1024 | timechart partial=f sum(gb) as GB by sourceHost

this is no usefull to measure by forwarder as some data might be discarded at indexer level

0 Karma

kobi_biton
New Member

OK I see the originator is also null in my case the only clue i see is the "st" field which I assume is sourcetype? I can get some info from it , is there any particular reason why source and source_host woul report NULL ?

0 Karma

MarioM
Motivator

there is another field named "o" as originator you can add it in your initial search and filter your search to only show the NULL source_host events:

index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host o as originator | search source_host=""

0 Karma

kobi_biton
New Member

Thanks! now I can see my source_hosts , I noticed that 90% of my usage volume comes from a NULL source and a NULL source_host is there any thing I can do to drill down and identify this source ?

Thanks
Kobi

0 Karma

MarioM
Motivator

the deployment monitor app /en-US/app/SplunkDeploymentMonitor/license_info give you all those infos

0 Karma

MarioM
Motivator

they will not show as source as they are not source but they will as h:
index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host | stats sum(bytes) as bytes by source, source_host | eval Gbytes = bytes/1048576/1048576 | fields source source_host Gbytes

0 Karma

kobi_biton
New Member

Thanks for the reply , can I do the same for my splunk inputs ? I have 2 splunk tcp inputs (9997,9998) but they are not seem to be treated a sources is there any way to count license usage by splunk tcp input ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...