All Apps and Add-ons

License Master license usage 30 days

ansif
Motivator

Not able to get 30days license usage from License Master server. License Master sends its internal logs to Indexer as best practice but I have added Indexers as search peers even I am not able to get 30days license usage data in the dashboard.Please help.

0 Karma

dwraesner
Explorer

Hi Ansif,

Your question was under "Questions related to License Usage Dashboard" so I assumed you were using the app "License Usage Dashboard". It provides more additional license usage data than the built in tool.

  1. License master _internal logs are sent to Indexer cluster.
    This is Splunk best practice.

  2. Do I need to install additional app in search head to view license usage for past 30 days?
    Don't need too, but try the License Usage Dashboard for additional license usage data reporting.

  3. Cant I make License master as Search head for this purpose?
    You can for test purposes, but its not Splunk best practice to dual-purpose the license master also as a search head, and as mentioned above the _internal logs from the license master are now being sent to the indexers.

  4. "The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers."
    Yes, all the indexers should be added and enabled as search peers.

0 Karma

ansif
Motivator

@dwraesner : Could you please let me know what went wrong or what are the things I need to check?

0 Karma

dwraesner
Explorer

Lycollicott and LeeSart are both on the right track.

Just updated the app to 3.4, and added more detailed instructions about where to install the app which is listed below. Within the License Usage Dashboard app click the menu item Setup in the upper left corner, and you'll see the following setup instructions.

Must Be Installed On The License Master Server, or Search Head depending on where the _internal logs are sent, and specifically the license_usage.log file. Best practice is to send the _internal logs to the indexer/s so in this case the app would be installed on the search head/s.

To Include The "_internal" Index In The User's Role To View The License Data

Select:

Settings -> Access Controls -> Roles -> the specific user role under Role Name

Add the _internal index to the Selected Search Indexes column under Indexes

Save

Here are a couple of additional troubleshooting tips:

http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/LicenseUsageReportViewexamples

Troubleshoot LURV: no results in 30 days tab

A lack of results in the panels of the Last 30 days view of the License Usage Report View indicates that the license master on which this page is viewed is unable to find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log file when searching.

This typically has one of two causes:

  1. The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers.
  2. The license master is not reading (and therefore, indexing) events from its own $SPLUNK_HOME/var/log/splunk directory. This can happen if the [monitor://$SPLUNK_HOME/var/log/splunk] default data input is disabled for some reason.

You might also have a gap in your data if your license master is down at midnight.

In addition, make sure the number of days of _internal data being saved via frozenTimePeriodInSecs is more than 30, and that enough storage is allocated for that number of days.

https://answers.splunk.com/answers/392100/how-to-get-the-the-splunk-license-usage-dashboard.html

Here's the solution, folks!
Increase the size of the internal index on the license server (change the full domain below):
- Increase to ~ 30GB (if you can)
Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100
Answer by andrewjhill

Oct 25 at 11:45 AM
andrewjhill · Oct 25 at 11:47 AM

Update the local indexes.conf file as well -- example:
/opt/splunk/etc/system/local/indexes.conf

[_internal]
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary
coldPath = $SPLUNK_DB/_internaldb/colddb
homePath = $SPLUNK_DB/_internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxHotSpanSecs = 432000

0 Karma

ansif
Motivator

@dwraesner : What app you are referring to? I am using License usage dashboard whkich is available by default (Setting -> License ,Usage Report)

  1. License master _internal logs are sent to Indexer cluster.
  2. Do I need to install additional app in search head to view license usage for past 30 days?
  3. Cant I make License master as Search head for this purpose?
  4. "The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers."

I have added Indexer under distributed search search peers.Am I missing any other configuration? (NB:- My search peers list has search heads too since the same license master server is used as DMC)

0 Karma

lycollicott
Motivator

What user are you logged in as? Does that user have access to the internal index?

0 Karma

ansif
Motivator

Admin user.

0 Karma

LeeSart
Explorer

Following on from lycollicott's answer, make sure your user has rights to search the _internal index. I had this same problem, and once I gave my user's role access to _internal the dashboard worked.

0 Karma

ansif
Motivator

@LeeSart : By Default admin has access to all indexes right? Do I need to explicitly give permission?

0 Karma

LeeSart
Explorer

If you're using the default admin account, then yes you already have access to all indexes and don't need to explicitly give permission.

Have you checked that the License Master can see the license usage data? Try this query:
index=_internal source=*license_usage.log type=Usage

If this query doesn't return any results, then there is likely something wrong with your search peer configuration.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...