##1  (SVC Usage)

index=summary source="splunk-svc" 
      | dedup _time, role
      | stats sum(utilized_svc) as utilized_svc
      max(stack_license_svc) as stack_license_svc
      by _time | timechart span=1h
              max(utilized_svc) AS utilized_svc 
              max(stack_license_svc) AS stack_license_svc
            | trendline sma24(utilized_svc) AS "average SVC utilization"
            | eval optimal_threshold=if(stack_license_svc>0, stack_license_svc*.8, null()) 
            | eval degradation_threshold=stack_license_svc*.9 
            | eval degraded=if(stack_license_svc>0 AND utilized_svc>=degradation_threshold,utilized_svc,null())
            | eval elevated=if(stack_license_svc>0 AND utilized_svc>=optimal_threshold AND isnull(degraded),utilized_svc,null()) 
            | eval utilized_svc=if(isnull(elevated) AND isnull(degraded),utilized_svc,null())
            | eval "license limit"=if(stack_license_svc>0,stack_license_svc,null())
            | fields - degradation_threshold stack_license_svc
            | rename optimal_threshold as "optimal utilization threshold", utilized_svc as "utilized SVC"

##2 License SVC

index=summary source="splunk-svc"
          | stats latest(stack_license_svc)


##3 Dispatch vs Skipped Searches

index=summary source="splunk-search-count"
            | timechart span=1h sum(search_count) as "search count", sum(skipped_count) as "skipped count"


##4 SVC Consumers
index=summary source="splunk-svc-consumer"
      | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user | timechart span=1h sum(svc_usage) by svc_consumer
            | rename "data services" as "ingestion", "search" as "search"

##5 SVC Usage by Search Type
index=summary source="splunk-svc-consumer"
      | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user | eval search_type=if(search_type=="","other",search_type)
            | eval search_type=if(isnull(search_type),"other",search_type)
            | search svc_consumer="search" 
            | timechart span=1h sum(svc_usage) by search_type

##6  SVC Usage by Ingestion
index=summary source="splunk-ingestion" 
            | stats sum(ingestion_gb) as ingestion_gb by _time idx
            | eventstats sum(ingestion_gb) as total_gb by _time
            | eval pct=ingestion_gb/total_gb
            | join _time 
              [ search index=summary source="splunk-svc-consumer"
              | search svc_consumer="data services"]
            | eval svc_usage=svc_usage*pct
            | timechart useother=false span=1h sum(svc_usage) by idx

##7  SVC Usage by Top 10 Apps
index=summary source="splunk-svc-consumer"
      | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user | search svc_consumer="search" search_app!="" 
            | timechart useother=false span=1h sum(svc_usage) AS total_svcs by search_app