Installation

license usage by tcp source query

kobi_biton
New Member

Hi ,

I am trying to evaluate my license daily usage (In GB) per tcp source , is there a query that I can issue to get this number ? I have 2 tcp inputs, tcp:8183 , tcp:8182

Thanks!
Kobi

Tags (2)
0 Karma

MarioM
Motivator
index="_internal" source="*license_usage.log" (s="tcp:8182" OR s="tcp:8183") | rename s as source b as bytes | stats sum(bytes) as bytes by source |  eval Gbytes = bytes/1048576/1048576 | fields source Gbytes
0 Karma

MarioM
Motivator

Kobi if you are happy with the infos provided please accept the answer for those who might have same question.Thanks

0 Karma

MarioM
Motivator

normally intermediate forwarder send his metrics.log but license usage is all on the indexers

0 Karma

kobi_biton
New Member

yep in my case data will be discarded on the indexer level as my setup is : ufw --> Intermediate forwarder --> splunk indexer , I guess that the query should be run against the Intermediate forwarder ?

0 Karma

MarioM
Motivator

not sure about that can be empty but for forwarders you can use this search : index="_internal" source="*metrics.log" group=tcpin_connections | eval gb=kb/1024/1024 | timechart partial=f sum(gb) as GB by sourceHost

this is no usefull to measure by forwarder as some data might be discarded at indexer level

0 Karma

kobi_biton
New Member

OK I see the originator is also null in my case the only clue i see is the "st" field which I assume is sourcetype? I can get some info from it , is there any particular reason why source and source_host woul report NULL ?

0 Karma

MarioM
Motivator

there is another field named "o" as originator you can add it in your initial search and filter your search to only show the NULL source_host events:

index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host o as originator | search source_host=""

0 Karma

kobi_biton
New Member

Thanks! now I can see my source_hosts , I noticed that 90% of my usage volume comes from a NULL source and a NULL source_host is there any thing I can do to drill down and identify this source ?

Thanks
Kobi

0 Karma

MarioM
Motivator

the deployment monitor app /en-US/app/SplunkDeploymentMonitor/license_info give you all those infos

0 Karma

MarioM
Motivator

they will not show as source as they are not source but they will as h:
index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host | stats sum(bytes) as bytes by source, source_host | eval Gbytes = bytes/1048576/1048576 | fields source source_host Gbytes

0 Karma

kobi_biton
New Member

Thanks for the reply , can I do the same for my splunk inputs ? I have 2 splunk tcp inputs (9997,9998) but they are not seem to be treated a sources is there any way to count license usage by splunk tcp input ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...