Splunk Searches | A collection of useful Splunk SPL

Splunk Search for License Usage by Sourcetype Copy


				index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
```| search st=<insert sourcetype here>```
| timechart span=1d sum(eval(b/pow(1024,3))) by st

0 comments

[0]

Splunk Search for Predicting future Splunk license usage Copy


				index=_internal sourcetype=splunkd source="*license_usage.log*" type=Usage | timechart span=1d avg(b) as b | predict b future_timespan=7

0 comments

[0]

Splunk Search for License usage by pool Copy


				index=_internal source=*license_usage.log* type=Usage earliest=-24h| timechart span=1h sum(b) as Volume by  pool | eval Volume = round(bytes/1024/1024/1024,4) | rename Volume as "Volume (GB)"

0 comments

[0]

Splunk Search for License usage for each index for each day week Copy


				index=_internal source=*license_usage.log type="Usage" splunk_server=* earliest=-1w@d | eval Date=strftime(_time, "%A") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5)| timechart first(MB) AS Volume by idx

0 comments

[0]

Splunk Search for Percentage of license usage for current day Copy


				| rest splunk_server=* /services/licenser/pools | rename title AS Pool | search [rest splunk_server=* /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% of Quota Used"=round(used_bytes/quota*100,2) | fields "% of Quota Used"

0 comments

[0]

Splunk Search for Top 5 license usage by host Copy


				index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS Volume by h  | eval  GB=round(Volume/1024/1024/1024,5) | table h GB  | rename h as Host, GB as "GB Used" | sort - GB | head 5

0 comments

[0]

Splunk Search for Daily license usage for last month Copy


				index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | timechart span=1d sum(b) AS "License Usage" | eval "License Usage"=round("License Usage"/1024/1024/1024, 2)

0 comments

[0]

Splunk Search for Current license usage Copy


				| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [ rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id ] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used_bytes, max(stack_quota) as total_quota | eval "Used (GB)"=round(used_bytes/1024/1024/1024,3) | eval "Quota (GB)"=round(total_quota/1024/1024/1024,3)

0 comments

[0]