Installation

License usage by own sourcetype / App

maada
Explorer

I would like to qurey from a license host on the _internal index the license usage of specific, individual defined sourcetypes in separate apps. If I run the search on the _internal index i dont see my sourcetypes?

the goal is to have a report based on each own app (use case) and a breakdown to the data source / sourcetype included in the app.

Thanks!

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You should be able to see the license usage by sourcetype using following query.

index=_internal source=*license_usage.log type=usage | stats sum(b) as usageGB by st  | eval usage=round(usage/1024/1024/1024,3) | rename st as sourcetype

Splunk doesn't log license usage based on app name. For that you should generate a lookup table manually with app name to sourcetype mapping and include that in above query to get the app name as well.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You should be able to see the license usage by sourcetype using following query.

index=_internal source=*license_usage.log type=usage | stats sum(b) as usageGB by st  | eval usage=round(usage/1024/1024/1024,3) | rename st as sourcetype

Splunk doesn't log license usage based on app name. For that you should generate a lookup table manually with app name to sourcetype mapping and include that in above query to get the app name as well.

0 Karma

maada
Explorer

Hi, thanks. yes that works - as long as that individual indexer is not connected to a license master. Afterwards there is no information locally on the license slave to license usage.

is there any possibility to log that information as well on the license slave?

THANKS!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The license master node manages the licensing and all logs are generated on license master. It is recommended thought to forwarder the (internal) logs from license master/search head to indexers, so that you'll have data in one centralized location (indexers). Any specific reason you want to run search from individual license slave/indexers?

0 Karma

maada
Explorer

thanks for the quick reply. yes. the license master is provided by central it department. different business departments (industry) operate their own Splunk instance and need to check during development of apps how much license the use case consumes and what impact adjustments to data sources have on the license volume. the way going always to central IT for reports is a bit complicated.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you see the license usage log, there is field called i which is the indexer GUID. You can create a lookup with GUID and Indexers ( | rest /services/licenser/slaves | table title label | rename title as i label as Indexer ) and add to license usage report to see data for specific indexers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...