Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk License Usage - Month over Month

moesaidi
Path Finder
‎06-23-2017 06:02 AM

We upgraded to 6.5.2 recently and was under the impression that 6.5 keeps license usage history over 30 days (unlike the older 6.2, etc..)

When I check out LURV or try to run a few searches, I can still only see 30 days worth of license usage data.

Has anyone been able to identify a way to generate a report of license usage over, say, the past 6 months to try to determine growth projections and whether additional license will need to be purchased over X months etc.. ?

Any help is appreciated.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2017 06:55 AM

If the problem is that events are expiring out of _internal or _telemetry while you still need them and you cannot extend the retention, you can create a summary index (which will be TINY) and schedule a saved search to run nightly that dumps a daily summary and you can search from that.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-23-2017 06:23 AM

In addition to this, you can adjust the retention time of the _internal index. This is where the metrics and license usage data is stored. Extend that to 6 /9 / 12 months etc.
Just be aware of the implications this would have on disk space on your indexers.

0 Karma
Reply

moesaidi
Path Finder
‎06-23-2017 06:42 AM

I wish I could set _index to over 30 days though like you said, that would use up a lot of disk space.
I was under the impression _telemetry would save licensing data and that by default is kept for 6 months.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2017 06:17 AM

Get the search from the Monitoring Console:
https://docs.splunk.com/Documentation/Splunk/6.6.1/DMC/DMCoverview
Then use the timewrap command:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Timewrap

0 Karma
Reply

moesaidi
Path Finder
‎06-23-2017 06:41 AM

I've tried this before and now again, even after adjusting the 'earliest' value or using timewrap it only shows me the last 30 days.
It seems to use the _internal index which is only retained for 30 days, but I thought 6.5.x and higher was using _telemetry index for licensing which is stored for 6 months.

Any other ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...