Getting Data In

License Usage by sourcetype in 6.6

Explorer

I just upgraded from 6.5.6 to 6.6.5, and some searches I was doing in my personal dashboard stopped working.

Through 6.5 I've been using some RT searches to watch the top 10 sourcetypes getting indexed over the past hour. These searches are based on some I found in the old Deployment Monitor app, and start by searching "index=internal source=licenseusage.log type=Usage", then breaking down the results so as to create a stacked area chart. One dashboard panel was broken down by ST, the other by host. Using these I could contact one of my users and note that they were sending an unusual amount of events, in case they weren't aware of that.

Now that I'm running 6.6, those searches don't return any results, as the license usage is being tracked in the licenseusagesummary.log file, which is forwarded to the _telemetry index, as I learned looking at the searches in the Monitoring Console. I have looked through the MC, but so far haven't found any panels that I can borrow from. In the License Usage choices under Indexing, the only choices I have are either Previous 30 Days or Today. In Previous I can split by ST, but not in Today, so it won't meet my requirements for ST usage anomalies.

Does anyone have a suggestion for how to monitor the highest ST usage over the past hour or so?

0 Karma

SplunkTrust
SplunkTrust

hey try this:

Just run below search for any custom time select today in timepicker.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by st fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Let me know if this helps you!

0 Karma

SplunkTrust
SplunkTrust

AFAIK, the licneseusage.log are still being logged and does allow splitting by sourcetype. Can you try running your `index=internal source=*license_usage.log` on your license master instance?

http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/AboutSplunksLicenseUsageReportView#Previous_...

0 Karma