We ingest the debug logs from our Autodesk license servers into Splunk for license usage reporting/ pool exhaustion alerting, etc. I am trying to create a few reports to measure our unique user counts and maximum usage for our Autodesk licensing. I am getting some inconsistent results where the number of unique users is a lot lower than the max number of users over the same time frame. I feel like it is something wrong with the unique users query as the max users query results are pretty close to what I see in the live data. I am pretty new to Splunk so I suspect I am doing something wrong, but after many hours of trial and error I can not figure out what. The queries are below, I would appreciate any suggestions anyone may have. Unique users per application query: index="autodesk-licensing" | lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product" | rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname" | dedup Username | addtotals | stats count BY "Application" | rename "count" AS "Total Unique Users" Maximum usage query: index="autodesk-licensing" sourcetype="lmutil" | lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "Autodesk License" | timechart max(current_license_usage) span=8hours by "Autodesk License" | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday="saturday" OR date_wday="sunday") | fields - date_wday
... View more