All Apps and Add-ons

How to write the query for Splunk license usage report for one years.

lksridhar
Explorer

Hi Team,

Could you please provide the search query to see to get the Splunk license usage report for last 6 month.

Thanks,
Sridhar

Tags (1)
0 Karma

lksridhar
Explorer

is there any other way to get the license usage report in splunk?

0 Karma

lksridhar
Explorer

thanks for quick replay mirkoneverstops and dkeck,
I can able to get the license usage report for last 30days and my _internal index retention period is 1 month due to this i'm not able to pull splunk license report for last 6 month. could you please provide the alternate way to pull the license report for last 6 month.

0 Karma

mirkoneverstops
Path Finder

I'm sorry but if _internal index retention period is 1 month there is no way to get last 6 months license usage.
License usage stats is written in _internal index so all events older than 1 month are lost.

0 Karma

mirkoneverstops
Path Finder

I'd suggest to use:
- a summary index (let's call it summary_internal or summary_adm) with 50 or more years time retention.
- a scheduled search which runs every night and collect license usage data into previously created summary index
The search SPL could be something like:

Daily Usage:
index=_internal earliest=@d latest=now source=license_usage.log type=RolloverSummary b>0|eval mytime=_time-86400|convert timeformat="%Y%m%d" ctime(mytime) AS real_date_ymd|stats latest(b) AS used_bytes latest(stacksz) AS stack_size by slave, pool, _time,real_date_ymd|eval metric_name="whateveryoulike"|collect index=mynewsummaryindex
**Note
*: this should be executed at least 5 minutes past midnight.

This approach has many advantages:
- You can decrease time retention of index _internal which contains license usage stats
- Searches on summary index are much faster

Let me know if you need additional details.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...