Getting Data In

License Usage by sourcetype in 6.6


I just upgraded from 6.5.6 to 6.6.5, and some searches I was doing in my personal dashboard stopped working.

Through 6.5 I've been using some RT searches to watch the top 10 sourcetypes getting indexed over the past hour. These searches are based on some I found in the old Deployment Monitor app, and start by searching "index=_internal source=license_usage.log type=Usage", then breaking down the results so as to create a stacked area chart. One dashboard panel was broken down by ST, the other by host. Using these I could contact one of my users and note that they were sending an unusual amount of events, in case they weren't aware of that.

Now that I'm running 6.6, those searches don't return any results, as the license usage is being tracked in the license_usage_summary.log file, which is forwarded to the _telemetry index, as I learned looking at the searches in the Monitoring Console. I have looked through the MC, but so far haven't found any panels that I can borrow from. In the License Usage choices under Indexing, the only choices I have are either Previous 30 Days or Today. In Previous I can split by ST, but not in Today, so it won't meet my requirements for ST usage anomalies.

Does anyone have a suggestion for how to monitor the highest ST usage over the past hour or so?

0 Karma

Super Champion

hey try this:

Just run below search for any custom time select today in timepicker.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by st fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Let me know if this helps you!

0 Karma

Revered Legend

AFAIK, the licnese_usage.log are still being logged and does allow splitting by sourcetype. Can you try running your index=_internal source=*license_usage.log on your license master instance?

0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...