Hi,
I have the following query to report on license utilization, and now want to filter out on specific slave indexers:
index=_internal source=*license_usage.log type="Usage" | join type=left i
[rest count=0 /services/licenser/slaves
| rename label as slave
| rename title as i
| table i slave] | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | bin _time span=1d | stats sum(b) as b by _time, slave, st | eval GB=round(b/1024/1024/1024, 3) | fields _time, slave, st, GB
How would I do that, and where's the best place to put the filter in this query from a performance perspective? For example, I want a set of slaves, not all - slave=myservera OR slave=myserverb.
↧