Could you please provide the search query to see to get the Splunk license usage report for last 6 month.
thanks for quick replay mirkoneverstops and dkeck,
I can able to get the license usage report for last 30days and my _internal index retention period is 1 month due to this i'm not able to pull splunk license report for last 6 month. could you please provide the alternate way to pull the license report for last 6 month.
I'm sorry but if _internal index retention period is 1 month there is no way to get last 6 months license usage.
License usage stats is written in _internal index so all events older than 1 month are lost.
I'd suggest to use:
- a summary index (let's call it summary_internal or summary_adm) with 50 or more years time retention.
- a scheduled search which runs every night and collect license usage data into previously created summary index
The search SPL could be something like:
index=_internal earliest=@d latest=now source=license_usage.log type=RolloverSummary b>0|eval mytime=_time-86400|convert timeformat="%Y%m%d" ctime(mytime) AS real_date_ymd|stats latest(b) AS used_bytes latest(stacksz) AS stack_size by slave, pool, _time,real_date_ymd|eval metric_name="whateveryoulike"|collect index=mynewsummaryindex
**Note*: this should be executed at least 5 minutes past midnight.
This approach has many advantages:
- You can decrease time retention of index _internal which contains license usage stats
- Searches on summary index are much faster
Let me know if you need additional details.