All Apps and Add-ons

Decode indexer name hashes (GUID) from license_usage.log

Spelunke
Path Finder

In license_usage.log the indexers appears as a kind of hash value (i=...):

01-02-2012 16:56:16.516 +0100 INFO  LicenseUsage - type=Usage s="udp:514" st="cisco_asa" h="172.16.22.7" o="" i="821C72AB-3C16-4124-B278-6C02F448DC22" pool="mypool" b=17906 poolsz=100000

For reporting I want to look up the real names of the indexers. Is there an internal lookup table for doing this?

Update: This field is the GUID of the system. But how to lookup the system name?

cyvi01
Path Finder

For Splunk 7 & 8 at least:

To get the daily ingestion per indexer with the hostname rather than the GUID following your time range picker selection.

 

 

index=_telemetry source=*license_usage_summary.log* type="RolloverSummary"
| join type=inner slave [ | rest /servicesNS/-/-/search/distributed/peers splunk_server=local | table guid host | rename guid AS slave ]
| search host=*PATTERN*
| timechart span=1d eval(round(latest(b) / 1024 / 1024 / 1024, 3)) AS sizeGB BY host useother=f

 

 


Replace PATTERN by your indexers hostname convention.

0 Karma

mlf
Path Finder

Assuming Splunk 6.x or better:

| rest /services/cluster/config 
| fields splunk_server guid
0 Karma

Jason
Motivator

Provided the indexers in question are also peers of this particular search head, you can join with this REST query from any, not just the license master:

rest /services/search/distributed/peers 
| table guid peerName

rphillips_splk
Splunk Employee
Splunk Employee

don't forget the | before rest.
|rest /services/search/distributed/peers
| table guid peerName

0 Karma

Jason
Motivator

Yes, you can look up the hostname of the licenser slave in 4.3+ via the following:

Be sure to select a type of log in license_usage.log to avoid double-counting statistics.

index=_internal source=*license_usage.log type=Usage
| join type=left i 
    [rest count=0 /services/licenser/slaves 
    | rename label as slave 
    | rename title as i 
    | table i slave]

The new "slave" field (or whatever you choose to rename label as) will now appear in the results.

Jason
Motivator

Remember you can just browse https://splunkinstance:8089 with a browser, and look for interesting things.

0 Karma

sowings
Splunk Employee
Splunk Employee

Clever. I'll have to remember this endpoint.

0 Karma

gmti
Engager

I'm sorry, but this is a lousy way to present information back to administrators during a rolling restart. You can't ping based on an indexer's Guid, you can't ssh to a Guid, you can't use the Guid in your web browser, so if there is a problem with an indexer in the cluster resolve it yourself. I brought this issue up with Splunk Professional Services and our sales engineers. I guess Splunk wanted to add back a little of the SH they have been taking out of IT.

0 Karma

Jason
Motivator

This feedback would be better off as a Enhancement Request to Splunk (a P4 to Splunk Support), rather than on here where they may not see it.

0 Karma

sowings
Splunk Employee
Splunk Employee

| rest /services/configs/conf-server/general

If you want to look for a specific server by its hostname, you can add splunk_server=<name> to the end of that search.

0 Karma

sowings
Splunk Employee
Splunk Employee

No; it only polls search peers by default. I suppose you could try splunk_server=<license_master> to the rest call, but that presumes that you have access to the license master itself.

0 Karma

Jason
Motivator

This does not display all the license slaves, it seems.

0 Karma

Spelunke
Path Finder

To answer my own question:

According to a Splunk guy it’s not possible to lookup the GUID internally.

I build a external lookup table to do that.

0 Karma

Jason
Motivator

It is possible with the rest command, available in 4.3 onwards. See my answer.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...