- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to determine daily license usage in GB?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)
This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, you can find on SplunkBase the Splunk License Usage Apps.
In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a License Server version 4.3 and newer:
- By POOL:
index=_internal source=license_usage.log
type=RolloverSummary | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool limit=20
- By Sourcetype (or Host or Source):
index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After running your query, I am getting blank for few of the dates . I am getting completely blank rows for few of the dates. Please help why is this coming as blank. It means there is no event appears in the license log for these dates.
Please help !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beware, in 4.2 and in 4.3, the license metrics log files format changed.
please update your searches according to this guide :
http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You! I wasted quite a bit of time until I ran across
your comment. I ended up with:
index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Similar to Tedder's, here are the searches I always use to see a nice graphical view of indexing in Advanced Charting view, last 24 hours:
Today's indexing by sourcetype:
index="_internal" source="*metrics.log" per_sourcetype_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series
Today's indexing by index:
index="_internal" source="*metrics.log" per_index_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series
If certain sourcetypes/indexes are too big, you can use the Y axis log-scale option, or exclude them, such as Today's non-internal indexing by sourcetype:
index="_internal" source="*metrics.log" per_sourcetype_thruput NOT series=splunkd NOT series=stash | eval MB=kb/1024 | timechart span=10m sum(MB) by series
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This query can be further modified into this:
index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=*
|stats sum(kb) as kb values(host) as host by series
however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged.
Hence, I would prefer this query:
index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has been answered several times, but here are searches I use.
daily total by GB:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp
highest-usage indexes:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple way to do this, adapting @wolverine's search above:
index=_internal todaysbytesindexed startdaysago=30 | eval MB_Indexed = todaysBytesIndexed/1024/1024 | stats sum(MB_Indexed) by date_mday,date_month,date_year
This will provide a table of usage over time, broken out in a table by date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, you can find on SplunkBase the Splunk License Usage Apps.
In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)
This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note for the record that this search has not worked since v5 or so.
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
