Getting Data In

How to determine daily license usage in GB?

Champion

What's a search I can run to quickly see my daily license usage in GB?

Tags (3)
2 Solutions

Champion
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

View solution in original post

Splunk Employee
Splunk Employee

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

View solution in original post

Champion

From a License Server version 4.3 and newer:

  • By POOL:

index=internal source=*licenseusage.log*
type=RolloverSummary | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool limit=20

  • By Sourcetype (or Host or Source):

index=internal source=*licenseusage.log*
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Contributor

After running your query, I am getting blank for few of the dates . I am getting completely blank rows for few of the dates. Please help why is this coming as blank. It means there is no event appears in the license log for these dates.

Please help !!

0 Karma

Splunk Employee
Splunk Employee

Beware, in 4.2 and in 4.3, the license metrics log files format changed.
please update your searches according to this guide :

http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Path Finder

Thank You! I wasted quite a bit of time until I ran across
your comment. I ended up with:

index=_internal source=*license_usage* type=RolloverSummary  | bucket _time span=1d | eval MB_vol=b/1024/1024 | timechart span=1d sum(MB_vol) by pool

Motivator

Similar to Tedder's, here are the searches I always use to see a nice graphical view of indexing in Advanced Charting view, last 24 hours:

Today's indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

Today's indexing by index:

index="_internal" source="*metrics.log" per_index_thruput | eval MB=kb/1024 | timechart span=10m sum(MB) by series

If certain sourcetypes/indexes are too big, you can use the Y axis log-scale option, or exclude them, such as Today's non-internal indexing by sourcetype:

index="_internal" source="*metrics.log" per_sourcetype_thruput NOT series=splunkd NOT series=stash | eval MB=kb/1024 | timechart span=10m sum(MB) by series

Communicator

This has been answered several times, but here are searches I use.

daily total by GB:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

highest-usage indexes:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse

Contributor

A simple way to do this, adapting @wolverine's search above:

index=_internal todaysbytesindexed startdaysago=30 | eval MB_Indexed = todaysBytesIndexed/1024/1024 | stats sum(MB_Indexed) by date_mday,date_month,date_year

This will provide a table of usage over time, broken out in a table by date

Splunk Employee
Splunk Employee

Also, you can find on SplunkBase the Splunk License Usage Apps.

In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.

View solution in original post

Champion
index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed)

This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4.

View solution in original post

Splunk Employee
Splunk Employee

Note for the record that this search has not worked since v5 or so.

0 Karma