How to get avg license per host for specific index...

a212830 · ‎03-21-2019

I have a request to determine the average license usage per host, for a few selected indexes, on a daily basis. Is there a way to do this?

harsmarvania57 · ‎03-21-2019

Hi,

Use below query to find per day license for every host which is sending to INDEX_A or INDEX_B

index=_internal host=LICENSE_SERVER source=*license_usage.log* (idx=INDEX_A OR idx=INDEX_B) | bin span=1d _time | stats sum(b) as bytes by h | eval GB=((bytes/1024)/1024)/1024

a212830 · ‎03-21-2019

Thanks. Should have been more specific, in addition to the host detailed info, a summary that shows the final average across all of them.

harsmarvania57 · ‎03-21-2019

Do you mean average of all hosts license usage then try below query

index=_internal host=LICENSE_SERVER source=*license_usage.log* (idx=INDEX_A OR idx=INDEX_B) | bin span=1d _time | stats sum(b) as bytes by h | eventstats avg(bytes) as avg_bytes

EDIT: Updated query.

a212830 · ‎03-21-2019

I want to calculate how much the average endpoint sends for these paticular indexes.

sloshburch · ‎05-10-2019

Based on the questions you've asked, I think you've got the answer here already.

In the license_usage.log the h is the host and idx is the indexes. So you're just doing stats sum(b) by h, idx.

How to get avg license per host for specific indexes

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk