- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: License Master license usage 30 days
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
License Master license usage 30 days
Not able to get 30days license usage from License Master server. License Master sends its internal logs to Indexer as best practice but I have added Indexers as search peers even I am not able to get 30days license usage data in the dashboard.Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ansif,
Your question was under "Questions related to License Usage Dashboard" so I assumed you were using the app "License Usage Dashboard". It provides more additional license usage data than the built in tool.
License master _internal logs are sent to Indexer cluster.
This is Splunk best practice.Do I need to install additional app in search head to view license usage for past 30 days?
Don't need too, but try the License Usage Dashboard for additional license usage data reporting.Cant I make License master as Search head for this purpose?
You can for test purposes, but its not Splunk best practice to dual-purpose the license master also as a search head, and as mentioned above the _internal logs from the license master are now being sent to the indexers."The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers."
Yes, all the indexers should be added and enabled as search peers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dwraesner : Could you please let me know what went wrong or what are the things I need to check?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lycollicott and LeeSart are both on the right track.
Just updated the app to 3.4, and added more detailed instructions about where to install the app which is listed below. Within the License Usage Dashboard app click the menu item Setup in the upper left corner, and you'll see the following setup instructions.
Must Be Installed On The License Master Server, or Search Head depending on where the _internal logs are sent, and specifically the license_usage.log file. Best practice is to send the _internal logs to the indexer/s so in this case the app would be installed on the search head/s.
To Include The "_internal" Index In The User's Role To View The License Data
Select:
Settings -> Access Controls -> Roles -> the specific user role under Role Name
Add the _internal index to the Selected Search Indexes column under Indexes
Save
Here are a couple of additional troubleshooting tips:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/LicenseUsageReportViewexamples
Troubleshoot LURV: no results in 30 days tab
A lack of results in the panels of the Last 30 days view of the License Usage Report View indicates that the license master on which this page is viewed is unable to find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log file when searching.
This typically has one of two causes:
- The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers.
- The license master is not reading (and therefore, indexing) events from its own $SPLUNK_HOME/var/log/splunk directory. This can happen if the [monitor://$SPLUNK_HOME/var/log/splunk] default data input is disabled for some reason.
You might also have a gap in your data if your license master is down at midnight.
In addition, make sure the number of days of _internal data being saved via frozenTimePeriodInSecs is more than 30, and that enough storage is allocated for that number of days.
https://answers.splunk.com/answers/392100/how-to-get-the-the-splunk-license-usage-dashboard.html
Here's the solution, folks!
Increase the size of the internal index on the license server (change the full domain below):
- Increase to ~ 30GB (if you can)
Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100
Answer by andrewjhill
Oct 25 at 11:45 AM
andrewjhill · Oct 25 at 11:47 AM
Update the local indexes.conf file as well -- example:
/opt/splunk/etc/system/local/indexes.conf
[_internal]
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary
coldPath = $SPLUNK_DB/_internaldb/colddb
homePath = $SPLUNK_DB/_internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxHotSpanSecs = 432000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dwraesner : What app you are referring to? I am using License usage dashboard whkich is available by default (Setting -> License ,Usage Report)
- License master _internal logs are sent to Indexer cluster.
- Do I need to install additional app in search head to view license usage for past 30 days?
- Cant I make License master as Search head for this purpose?
- "The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers."
I have added Indexer under distributed search search peers.Am I missing any other configuration? (NB:- My search peers list has search heads too since the same license master server is used as DMC)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What user are you logged in as? Does that user have access to the internal index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Admin user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following on from lycollicott's answer, make sure your user has rights to search the _internal index. I had this same problem, and once I gave my user's role access to _internal the dashboard worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@LeeSart : By Default admin has access to all indexes right? Do I need to explicitly give permission?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using the default admin account, then yes you already have access to all indexes and don't need to explicitly give permission.
Have you checked that the License Master can see the license usage data? Try this query:
index=_internal source=*license_usage.log type=Usage
If this query doesn't return any results, then there is likely something wrong with your search peer configuration.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
