Installation

How to filter results of a search or show license consumption of only one index?

worm929
Explorer

All right, I've given up googling. I can't find the answer to this simple question, I hope you can help me out:

I have a nice search that lists all the indexes and their license consumption. This works fine:

index=_internal source="*license_usage.log*" type=Usage 
| eval yearmonthday=strftime(_time, "%Y%m%d") 
| eval yearmonth=strftime(_time, "%Y%m%d") 
| stats sum(b) AS volume_b by idx yearmonthday yearmonth 
| eval MB=round(volume_b/1024/1024,2) 
| chart sum(MB) over yearmonth by idx

I now want to filter this table to show ONLY ONE of the indexes, and then create a graph of how it evolved over time.
I cannot for the life of me find a way to exclude all other indexes from the search and just leave one.


So any of these could solve my issue:

  1. How to filter results from an already working search.
  2. How to make a graph that shows the evolution of license consumption of a specific index.

thanks a lot.

Labels (1)
1 Solution

andyfrank
Explorer

I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.

For example:

index=_internal source="*license_usage.log*" type=Usage idx=main
...

then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.

View solution in original post

mayurr98
Super Champion

hey, this is very simple there is a ready-made query for in Licensing » License Usage Reporting » Previous 30 days » split_by index
do open in search and customize the query only for one index

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" idx=<index_name> | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

so idx=<index_name> <index_name> is the name of the index that you want to find.

Also if you want to stick to your query then you can do the same for your query as well.

index=_internal source="*license_usage.log*" type=Usage idx=<index_name>
 | eval yearmonthday=strftime(_time, "%Y%m%d") 
 | eval yearmonth=strftime(_time, "%Y%m%d") 
 | stats sum(b) AS volume_b by idx yearmonthday yearmonth 
 | eval MB=round(volume_b/1024/1024,2) 
 | chart sum(MB) over yearmonth by idx

let me know if this helps!

0 Karma

andyfrank
Explorer

I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.

For example:

index=_internal source="*license_usage.log*" type=Usage idx=main
...

then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...