I want to create a license usage dashboard based on what apps (meaning our application logs from IBM WAS servers, IIS logs or other .NET apps, etc.) our teams have in Splunk. I have all of it documented anyway in deployment-apps on the Deployment Server so I'd like to go through the process of grouping each app into an eventtype based on sources, etc. which constitute an application.

In the end, I just want a single dashboard with panels for each team so they can stop bugging me, the Splunk admin, for this information on not only how much license capacity the team is using but also what they have or don't have in Splunk - a nice one-stop dashboard.

Here's my issue: If I create an eventtype called example-app-xyz for the example app and run the search below, it will also give me an eventtype called "servers" but that overlays the example-app-xyz in my timechart. Servers will match the search but in this case, I only want eventtype values matching example-app-*.

Question: How can I hide the "servers" eventtype value (not the whole field) from the timechart command while still showing eventtype "example-app-xyz"? I'm not finding anything online so figured I'd post here as well.

Search:

index=_internal source=*license_usage.log type=Usage eventtype=example-app-*
| eval MB = b/1024/1024 
| rename idx AS index 
| timechart span=1d sum(MB) AS "Total MB used" by eventtype