I was trying to find the license usage logs using the query:
index=_internal source=license_usage.log but we are not getting any data. Am able to see one-day data as it runs the query using |rest... I check the list monitor command which also showed the license usage logs being monitored by Splunk.
Note: license master + cluster master + Distributed Management Console are all residing in the same instance.
Try this for last 30 days on the
license master In order to receive logs on search head you need to forward internal logs of license master.
index=_internal [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [ search index=_internal [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Also, you can get then same in
Settings » Licensing » License Usage Reporting » Previous 30 days
let me know if this helps!
Cluster master internal logs are forwarded to Indexer as best practice?
And in your search try to run it as:
to get data from license_usage.log
For 30 days license usage
index=internal source=*licenseusage.log type=Usage pool=* | rename _time as Date | eval Date=strftime(Date, "%m-%d-%y") | stats sum(b) as ub by Date | eval ub=round(ub/1024/1024/1024,3) | rename ub as "Daily License Quota - GB's Used"
am running the query in search head which is assocaite with all the indexers :
Was able to reterive only the below log
01-29-2018 10:06:30.048 +0000 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://X.X.X.X:8089 for usage breakdown