Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine daily license usage in GB?

the_wolverine
Champion
‎07-21-2010 04:52 PM

What's a search I can run to quickly see my daily license usage in GB?

Tags (3)
Reply
2 Solutions
Solved! Jump to solution
Solution

the_wolverine
Champion
‎07-21-2010 04:54 PM 
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lionel
Splunk Employee
Splunk Employee
‎07-21-2010 05:13 PM

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-21-2014 02:42 PM

From a License Server version 4.3 and newer:

  • By POOL:

index=_internal source=license_usage.log
type=RolloverSummary | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool limit=20

  • By Sourcetype (or Host or Source):

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Reply
Solved! Jump to solution

abhayneilam
Contributor
‎08-26-2015 11:29 AM

After running your query, I am getting blank for few of the dates . I am getting completely blank rows for few of the dates. Please help why is this coming as blank. It means there is no event appears in the license log for these dates.

Please help !!

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-29-2012 08:15 PM

Beware, in 4.2 and in 4.3, the license metrics log files format changed.
please update your searches according to this guide :

http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Reply
Solved! Jump to solution

ualbanytech
Path Finder
‎02-07-2013 01:23 PM

Thank You! I wasted quite a bit of time until I ran across
your comment. I ended up with:

index=_internal source=*license_usage* type=RolloverSummary  | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool
Reply
Solved! Jump to solution

Jason
Motivator
‎05-20-2011 08:06 AM

Similar to Tedder's, here are the searches I always use to see a nice graphical view of indexing in Advanced Charting view, last 24 hours:

Today's indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

Today's indexing by index:

index="_internal" source="*metrics.log" per_index_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

If certain sourcetypes/indexes are too big, you can use the Y axis log-scale option, or exclude them, such as Today's non-internal indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput NOT series=splunkd NOT series=stash | eval MB=kb/1024 | timechart span=10m sum(MB) by series
Reply
Solved! Jump to solution

jokertothequinn
Path Finder
‎09-14-2023 12:22 AM

This query can be further modified into this:

index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=*
|stats sum(kb) as kb values(host) as host by series


however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged.


Hence, I would prefer this query:
index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ")

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎12-30-2010 04:03 PM

This has been answered several times, but here are searches I use.

daily total by GB:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

highest-usage indexes:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse
Reply
Solved! Jump to solution

Justin_Grant
Contributor
‎08-10-2010 10:47 PM

A simple way to do this, adapting @wolverine's search above:

index=_internal todaysbytesindexed startdaysago=30 | eval MB_Indexed = todaysBytesIndexed/1024/1024 | stats sum(MB_Indexed) by date_mday,date_month,date_year

This will provide a table of usage over time, broken out in a table by date

Reply
Solved! Jump to solution
Solution

Lionel
Splunk Employee
Splunk Employee
‎07-21-2010 05:13 PM

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎07-21-2010 04:54 PM 
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

Reply
Solved! Jump to solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎12-04-2019 12:31 PM

Note for the record that this search has not worked since v5 or so.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top