All Apps and Add-ons

Query about Indexing License Count

Path Finder

If Splunk starts indexing any big size file at the end of a calendar day and splunk completes its indexing after the start of another day, then how will its license usage count gets calculated? I mean to say, if it will be counted in the current calendar day or will it be counted in next calendar day. Assuming there is no license violation on either of the day.

Regards,
Disha

0 Karma
1 Solution

Path Finder

We had an discussion with Splunk Team, we raised this query with them and as per their response, total volume will be divided into both days license count depending upon their indexing volume that has been indexed per day.

In other words, the volume which has been indexed before till 11:59PM today will be counted in today's license, rest of the volume of that file will be get calculated in licnse count of next day.
My query had not any dependency on Licensing server. It has its own defined role.

Thanks Splunk Team, I am posting this answer on behalf of you.

Regards,
Disha

View solution in original post

Path Finder

We had an discussion with Splunk Team, we raised this query with them and as per their response, total volume will be divided into both days license count depending upon their indexing volume that has been indexed per day.

In other words, the volume which has been indexed before till 11:59PM today will be counted in today's license, rest of the volume of that file will be get calculated in licnse count of next day.
My query had not any dependency on Licensing server. It has its own defined role.

Thanks Splunk Team, I am posting this answer on behalf of you.

Regards,
Disha

View solution in original post

Motivator

The license count is per day. You can verify this with the following splunk query:

splunk_server=your_license_server index=_internal source="*license_usage.*" AND  st=your_source_type | eval GB=b/1024/1024/1024  | bucket _time span=1d| stats sum(GB) as GB by _time st

Assuming that your splunk license server name is "a.com" and the source type is "tcp-raw" the query will be:

splunk_server=a.com index=_internal source="*license_usage.*" AND st=tcp-raw | eval GB=b/1024/1024/1024  | bucket _time span=1d| stats sum(GB) as GB by _time st

Select the dates you need.

Thanks,
Lp

Path Finder

Hi Ipolo,
Did you get any idea?

Regards,
Disha

0 Karma

Path Finder

Hi Ipolo,

Thanks for your answer, sincere apologies for replying so late.
I would like to give an example to explain my query, if I am indexing a file of 4GB at the end of the day, then if 1GB file gets indexed at same day before 12:00AM of next day and rest of the 3GB file completes its indexing after the start of the next day, then how license usage will be calculated? Will it be counted in previous day or in the license usage count of next day, or will it be divided as per the size?
Please suggest.

Regards,
Disha

0 Karma

Motivator

The license server keeps track of the license usage of each indexer. Therefore, the query will do its job either way.

0 Karma

Motivator

Hello, I think it will work if your license server is also an indexer. If not it won work

0 Karma

Motivator

Your observation is valid. However, the query is correct. If the query is executed from a master head server, the query will work. If the query is executed in the license server perse the query will work too.

0 Karma

Motivator

I think there is a mistake in your search, the first part should read host=a.com instead of splunk_server=a.com

Unless is a standalone server

Regards

0 Karma