Deployment Architecture

Why is there no license usage data available in Splunk?

Contributor

I was trying to find the license usage logs using the query: index=_internal source=license_usage.log but we are not getting any data. Am able to see one-day data as it runs the query using |rest... I check the list monitor command which also showed the license usage logs being monitored by Splunk.

Note: license master + cluster master + Distributed Management Console are all residing in the same instance.

Please advice

0 Karma

SplunkTrust
SplunkTrust

Try this for last 30 days on the license master In order to receive logs on search head you need to forward internal logs of license master.

index=_internal 
    [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
| eval _time=_time - 43200 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time 
    [ search index=_internal 
        [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | stats latest(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach * 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Also, you can get then same in Settings » Licensing » License Usage Reporting » Previous 30 days

let me know if this helps!

0 Karma

Motivator

Cluster master internal logs are forwarded to Indexer as best practice?

And in your search try to run it as:

index=internal source="/opt/splunk/var/log/splunk/licenseusage.log"

to get data from license_usage.log

For 30 days license usage

index=internal source=*licenseusage.log type=Usage pool=* | rename _time as Date | eval Date=strftime(Date, "%m-%d-%y") | stats sum(b) as ub by Date | eval ub=round(ub/1024/1024/1024,3) | rename ub as "Daily License Quota - GB's Used"

0 Karma

Contributor

am running the query in search head which is assocaite with all the indexers :
Was able to reterive only the below log

01-29-2018 10:06:30.048 +0000 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://X.X.X.X:8089 for usage breakdown

0 Karma

Motivator

That means you have not forwarded the internal logs to indexer. In that case run the query from Licence Master.

0 Karma

Contributor

i am running the query from license master only

0 Karma