All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

License usage monitoring issue

wmosher
Path Finder
‎01-03-2012 02:11 PM

I am using the following query and getting data indexed totals much higher than expected. On our previous version/implementation of Splunk we encountered an occasional license violation but nothing like these numbers yet we have even less inputs turned on at this point. These are nearly three times larger than our license yet we have no violations so something has to be out of whack.

index=_internal source=*license_usage.log | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Does this query look okay? Am I using this data wrong? Does this log list pre-compressed totals or does it log cumulative totals?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joshd
Builder
‎01-03-2012 02:23 PM

I've listed some queries you can use on my blog...

http://www.joshd.ca/content/splunk-usage-statistic-searches

However I would highly recommend using the free Splunk Deployment Monitor app. Check it out on Splunkbase here:

http://splunk-base.splunk.com/apps/22301/splunk-deployment-monitor

View solution in original post

Reply
Solved! Jump to solution

kobi_biton
New Member
‎01-05-2012 03:55 PM

hi I am running the above query and gets a result how do I setup an alert based on the returned sum(totalGB) Field ?

Thanks

0 Karma
Reply
Solved! Jump to solution

wmosher
Path Finder
‎01-09-2012 11:23 AM

This is pretty much an entirely new question, however if you save your search and check the box to schedule it, some alerting options will present themselves.

0 Karma
Reply
Solved! Jump to solution
Solution

joshd
Builder
‎01-03-2012 02:23 PM

I've listed some queries you can use on my blog...

http://www.joshd.ca/content/splunk-usage-statistic-searches

However I would highly recommend using the free Splunk Deployment Monitor app. Check it out on Splunkbase here:

http://splunk-base.splunk.com/apps/22301/splunk-deployment-monitor

Reply
Solved! Jump to solution

joshd
Builder
‎01-03-2012 03:25 PM

Great to hear! That's why I wanted to post all the searches so they can independantly be used as alerts... Glad to hear it'll meet your needs! Remember to accept the answer posted so no questions are left in limbo as unanswered 🙂

0 Karma
Reply
Solved! Jump to solution

wmosher
Path Finder
‎01-03-2012 02:32 PM

The numbers from this query in your post look more accurate.

index=_internal source=*metrics.log group=per_index_thruput series!=_*
| eval totalGB = (kb/1024)/1024 | timechart span=1d sum(totalGB)

The one I was trying to use must have worked at some point though, I got it from here: http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

We are using the Deployment Monitor app as well and love it, just wanted some additional total GB alerts at mid-day.

Thanks so much!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...