topic Re: What is using up my license in Installation

How to create a search to investigate source of over-limit license usage?

terryjohn — Wed, 17 Jun 2020 17:12:59 GMT

I have received a message saying today that my license using is nearly 3 times my limit. I cannot find anything in particular that is causing this. My current 1GB/day Enterprise license seems to be valid until next year.

Can anyone give me a search that will give me some idea what is using up my license as I do not want this to continue.

Thanks

Re: What is using up my license

JDukeSplunk — Tue, 01 Nov 2016 12:46:39 GMT

You could try this one.

https://answers.splunk.com/answers/417031/license-usage-by-source-type.html

Re: What is using up my license

rjthibod — Tue, 01 Nov 2016 13:07:16 GMT

This recent post can be helpful as well. https://answers.splunk.com/answers/469643/how-to-write-a-serach-to-list-hosts-sending-data-b.html#answer-469655

Re: What is using up my license

skoelpin — Tue, 01 Nov 2016 13:24:22 GMT

You should look at 'Settings>Licensing>Last 30 days' and sort by host, sourcetype, index and find out what is eating your license up. Once you identify what index its coming from, you can then drill down in that index and see what sourcetypes/sources are logging a lot.

If you don't have access to your license usage, then you can use the following searches

Here's a search to sort licenses usage by index

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Here's a search to sort by sourcetype

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by st fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Re: What is using up my license

terryjohn — Tue, 01 Nov 2016 14:18:37 GMT

I found the index search gave me the results I need. By selecting a search just for Today and View Events then sorting by "b". I have one host generating an enormous amount of messages. I had my suspicions on that host anyway but now I can target it with more confidence. Thanks