Getting Data In

How to determine daily license usage in GB?

the_wolverine
Champion

What's a search I can run to quickly see my daily license usage in GB?

Tags (3)
2 Solutions

the_wolverine
Champion
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

View solution in original post

Lionel
Splunk Employee
Splunk Employee

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

View solution in original post

the_wolverine
Champion

From a License Server version 4.3 and newer:

  • By POOL:

index=_internal source=license_usage.log
type=RolloverSummary | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool limit=20

  • By Sourcetype (or Host or Source):

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

abhayneilam
Contributor

After running your query, I am getting blank for few of the dates . I am getting completely blank rows for few of the dates. Please help why is this coming as blank. It means there is no event appears in the license log for these dates.

Please help !!

0 Karma

yannK
Splunk Employee
Splunk Employee

Beware, in 4.2 and in 4.3, the license metrics log files format changed.
please update your searches according to this guide :

http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

ualbanytech
Path Finder

Thank You! I wasted quite a bit of time until I ran across
your comment. I ended up with:

index=_internal source=*license_usage* type=RolloverSummary  | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool

Jason
Motivator

Similar to Tedder's, here are the searches I always use to see a nice graphical view of indexing in Advanced Charting view, last 24 hours:

Today's indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

Today's indexing by index:

index="_internal" source="*metrics.log" per_index_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

If certain sourcetypes/indexes are too big, you can use the Y axis log-scale option, or exclude them, such as Today's non-internal indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput NOT series=splunkd NOT series=stash | eval MB=kb/1024 | timechart span=10m sum(MB) by series

jokertothequinn
Path Finder

This query can be further modified into this:

index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=*
|stats sum(kb) as kb values(host) as host by series


however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged.


Hence, I would prefer this query:
index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ")

0 Karma

tedder
Communicator

This has been answered several times, but here are searches I use.

daily total by GB:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

highest-usage indexes:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse

Justin_Grant
Contributor

A simple way to do this, adapting @wolverine's search above:

index=_internal todaysbytesindexed startdaysago=30 | eval MB_Indexed = todaysBytesIndexed/1024/1024 | stats sum(MB_Indexed) by date_mday,date_month,date_year

This will provide a table of usage over time, broken out in a table by date

Lionel
Splunk Employee
Splunk Employee

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

the_wolverine
Champion
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

hrottenberg_spl
Splunk Employee
Splunk Employee

Note for the record that this search has not worked since v5 or so.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...