| rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest /services/authorization/roles | rename title as roles | search srchIndexesAllowed=* | table roles srchIndexesAllowed] | rename realname as Name, title as Title, roles as Roles, email as Email, srchIndexesAllowed as "Indexes this user an access"
index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS Volume by h | eval GB=round(Volume/1024/1024/1024,5) | table h GB | rename h as Host, GB as "GB Used" | sort - GB | head 5
index=_internal source="*license_usage.log*" type=Usage | stats sum(b) as bytes by st | eval MB=tostring(round(bytes/1024/1024,2),"commas")| rename st as Sourcetype | fields - bytes | sort - Megabytes