We have had several license violations recently and I'm not certain how close we are to our 30-day limit. I'd like to know how many violations Splunk thinks I've had in the last 30 days to know how concerned I should be. I actually know that we've gone over for the past 3 days for certain due to some unusual testing that occurred, but I'm not sure if this is violation #4 in 30 days or just #3.
I looked in Manager -> License, but it shows "Warnings: 0". I don't see anything else on that page that would indicated how many I've had in 30 days. (I would really expect that this info should be on the license page).
Is there a query I can run to tell me the number of violations in the last 30 days?
I'm running Splunk 4.2.4.
On in the Splunk log files, you should look at
"license_audit.log", which can be found in
"$SPLUNK_HOME/var/log/splunk/". Here you will see information regarding licenses violations.
So you could search on
If you have access to the internal index, the fields should be extracted for you.
Thanks. This pointed me in the right direction. (It seems to be "license_audit.log" under 4.2.4. ) I would up with the following:
index="internal" source="/opt/splunk/var/log/splunk/licenseaudit.log" quotaExceededCount="1" | stats count
run over the last 30 days.
That's great... It was a type on my behalf (re: license_audit.log) I will edit my answer to be more reflective of this!
If this answered your question, would you mind marking the question as answered, which will help other splunkers (both those trying to answer and those looking for answers), thanks!
I use the following. You can run it for a 30 day window and in a distributed environment it will break it out by indexer. I also use it as an alert to let me know if one of the indexers has "tripped" overnight.
index="_internal" "ERROR" host="ccpspl" NOT debug source="splunkd.log*" "ERROR LicenseManager - Daily indexing volume limit exceeded." | eval ler="ERROR LicenseManager - Daily indexing volume limit exceeded." | stats count(ler) BY host
You can also check your indexer and run a
./splunk show license
and see the exact days that you violated your license limit.
Thanks. For some reason, I had difficulty getting this to show me anything. (Yes, I changed the hostname to the Splunk indexer 🙂 ).
When I run "splunk show license", it tells me that that command is deprecated.
Also, it sounds like I'm mistaken about when a violation "resets". It was my understanding that you had to drop below 5 violations in a 30-day period. It sounds like you're saying that once you go over 5 in 30 days, you have to drop back to 0 violations in a 30-day period before you can do search again?
the query should be OK but I am running 4.1.6 and it may be slightly different in 4.2.x
the command in 4.2.x is
./splunk display license
In addition, I wanted to let you know that there is on SplunkBase a couple of apps that could help you on this matter.
The first App is called "Splunk License Usage" (http://splunk-base.splunk.com/apps/22382/splunk-license-usage) will show you through dashboards your license usage.
The second one is called "Real Time License Usage" (http://splunk-base.splunk.com/apps/22296/real-time-license-usage) will show you, you daily license usage and assist you in monitoring, pro-actively your license usage.
Both of them can be installed on top of 4.2.x, quite easily.
Thanks. I actually have both of these. They tell me about my license usage now (or today or for the last 12 hours, etc). My problem here is that I know I've had some violations in the last 30 days, I just can't remember how many within that window and I don't want to come in tomorrow to find out I can't search for another, say, 25 days.