Not able to get 30days license usage from License Master server. License Master sends its internal logs to Indexer as best practice but I have added Indexers as search peers even I am not able to get 30days license usage data in the dashboard.Please help.
Following on from lycollicott's answer, make sure your user has rights to search the _internal index. I had this same problem, and once I gave my user's role access to _internal the dashboard worked.
If you're using the default admin account, then yes you already have access to all indexes and don't need to explicitly give permission.
Have you checked that the License Master can see the license usage data? Try this query:
index=internal source=*licenseusage.log type=Usage
If this query doesn't return any results, then there is likely something wrong with your search peer configuration.
Lycollicott and LeeSart are both on the right track.
Just updated the app to 3.4, and added more detailed instructions about where to install the app which is listed below. Within the License Usage Dashboard app click the menu item Setup in the upper left corner, and you'll see the following setup instructions.
Must Be Installed On The License Master Server, or Search Head depending on where the internal logs are sent, and specifically the licenseusage.log file. Best practice is to send the _internal logs to the indexer/s so in this case the app would be installed on the search head/s.
To Include The "_internal" Index In The User's Role To View The License Data
Settings -> Access Controls -> Roles -> the specific user role under Role Name
Add the _internal index to the Selected Search Indexes column under Indexes
Here are a couple of additional troubleshooting tips:
Troubleshoot LURV: no results in 30 days tab
A lack of results in the panels of the Last 30 days view of the License Usage Report View indicates that the license master on which this page is viewed is unable to find events from its own $SPLUNKHOME/var/log/splunk/licenseusage.log file when searching.
This typically has one of two causes:
You might also have a gap in your data if your license master is down at midnight.
In addition, make sure the number of days of _internal data being saved via frozenTimePeriodInSecs is more than 30, and that enough storage is allocated for that number of days.
Here's the solution, folks!
Increase the size of the internal index on the license server (change the full domain below):
- Increase to ~ 30GB (if you can)
Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=internal source=*licenseusage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100
Answer by andrewjhill
Oct 25 at 11:45 AM
andrewjhill · Oct 25 at 11:47 AM
Update the local indexes.conf file as well -- example:
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:splunksummaries/internaldb/datamodelsummary
coldPath = $SPLUNKDB/internaldb/colddb
homePath = $SPLUNKDB/internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNKDB/_internaldb/thaweddb
maxHotSpanSecs = 432000
@dwraesner : What app you are referring to? I am using License usage dashboard whkich is available by default (Setting -> License ,Usage Report)
I have added Indexer under distributed search search peers.Am I missing any other configuration? (NB:- My search peers list has search heads too since the same license master server is used as DMC)
Your question was under "Questions related to License Usage Dashboard" so I assumed you were using the app "License Usage Dashboard". It provides more additional license usage data than the built in tool.
License master _internal logs are sent to Indexer cluster.
This is Splunk best practice.
Do I need to install additional app in search head to view license usage for past 30 days?
Don't need too, but try the License Usage Dashboard for additional license usage data reporting.
Cant I make License master as Search head for this purpose?
You can for test purposes, but its not Splunk best practice to dual-purpose the license master also as a search head, and as mentioned above the _internal logs from the license master are now being sent to the indexers.
"The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers."
Yes, all the indexers should be added and enabled as search peers.