Security

See count of license violations in last 30 days?

mfrost8
Builder

We have had several license violations recently and I'm not certain how close we are to our 30-day limit. I'd like to know how many violations Splunk thinks I've had in the last 30 days to know how concerned I should be. I actually know that we've gone over for the past 3 days for certain due to some unusual testing that occurred, but I'm not sure if this is violation #4 in 30 days or just #3.

I looked in Manager -> License, but it shows "Warnings: 0". I don't see anything else on that page that would indicated how many I've had in 30 days. (I would really expect that this info should be on the license page).

Is there a query I can run to tell me the number of violations in the last 30 days?

I'm running Splunk 4.2.4.

Thanks

Tags (1)
0 Karma
1 Solution

MHibbin
Influencer

Hi,

On in the Splunk log files, you should look at "license_audit.log", which can be found in "$SPLUNK_HOME/var/log/splunk/". Here you will see information regarding licenses violations.

So you could search on

index=_internal licensemanager

If you have access to the internal index, the fields should be extracted for you.

Regards,

Matt

View solution in original post

ma7859
Explorer
0 Karma

Lionel
Splunk Employee
Splunk Employee

Hello,

In addition, I wanted to let you know that there is on SplunkBase a couple of apps that could help you on this matter.

The first App is called "Splunk License Usage" (http://splunk-base.splunk.com/apps/22382/splunk-license-usage) will show you through dashboards your license usage.
The second one is called "Real Time License Usage" (http://splunk-base.splunk.com/apps/22296/real-time-license-usage) will show you, you daily license usage and assist you in monitoring, pro-actively your license usage.

Both of them can be installed on top of 4.2.x, quite easily.

Thank you,

Lionel

mfrost8
Builder

Thanks. I actually have both of these. They tell me about my license usage now (or today or for the last 12 hours, etc). My problem here is that I know I've had some violations in the last 30 days, I just can't remember how many within that window and I don't want to come in tomorrow to find out I can't search for another, say, 25 days.

0 Karma

Kate_Lawrence-G
Contributor

Hi,

I use the following. You can run it for a 30 day window and in a distributed environment it will break it out by indexer. I also use it as an alert to let me know if one of the indexers has "tripped" overnight.

index="_internal" "ERROR" host="ccpspl" NOT debug source="splunkd.log*" "ERROR LicenseManager - Daily indexing volume limit exceeded." | eval ler="ERROR LicenseManager - Daily indexing volume limit exceeded." | stats count(ler) BY host

You can also check your indexer and run a

./splunk show license

and see the exact days that you violated your license limit.

-- Kate

0 Karma

Kate_Lawrence-G
Contributor

the query should be OK but I am running 4.1.6 and it may be slightly different in 4.2.x

the command in 4.2.x is
./splunk display license

0 Karma

mfrost8
Builder

Also, it sounds like I'm mistaken about when a violation "resets". It was my understanding that you had to drop below 5 violations in a 30-day period. It sounds like you're saying that once you go over 5 in 30 days, you have to drop back to 0 violations in a 30-day period before you can do search again?

0 Karma

mfrost8
Builder

Thanks. For some reason, I had difficulty getting this to show me anything. (Yes, I changed the hostname to the Splunk indexer 🙂 ).

When I run "splunk show license", it tells me that that command is deprecated.

0 Karma

MHibbin
Influencer

Hi,

On in the Splunk log files, you should look at "license_audit.log", which can be found in "$SPLUNK_HOME/var/log/splunk/". Here you will see information regarding licenses violations.

So you could search on

index=_internal licensemanager

If you have access to the internal index, the fields should be extracted for you.

Regards,

Matt

MHibbin
Influencer

That's great... It was a type on my behalf (re: license_audit.log) I will edit my answer to be more reflective of this!

If this answered your question, would you mind marking the question as answered, which will help other splunkers (both those trying to answer and those looking for answers), thanks!

0 Karma

mfrost8
Builder

Thanks. This pointed me in the right direction. (It seems to be "license_audit.log" under 4.2.4. ) I would up with the following:

index="_internal" source="/opt/splunk/var/log/splunk/license_audit.log" quotaExceededCount="1" | stats count

run over the last 30 days.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...