Hi,
We decided to centralize all of our Splunk licensing, and my group is now responsible for it (yay, us?). So, we now have one huge license pool, and I need to create some reports for different groups. I need to break down the usage by groups of indexers. How would I do that? Is there any way to assign each group a value, and then report on when they have either gone over it, or even approaching 80% of it?
Hi a212830,
Burch is right, this exact feature is built into the Chargeback App. Feel free to reach out to me if you want a walk through, my contact info is in the readme.
Jim
Hi Jim,
I don't see a way to associate license servers with a group. Am I missing something? Feel free to contact me directly.
Sorry, not license servers - slaves... indexers reporting into the license mgr.
The groups are assigned to each individual index in customers.csv. Think of it as a micro-license for each individual index. You then apply the anticipated daily volume to it and you are off to the races!
If you have more than one group using the same index, make a copy of the index definition, put in the new group name, and then adjust each of their percent ownership.
Let me know how it works out.
Jim
I'm pretty sure this is all captured in the Chargeback app. Obviously, you're not talking about doing Chargeback, but there should be reports and lookups to help you manage the mapping for measuring one large pool.
You can configure one or more groups of license and assign to each one a part of license and define which indexers can use each license group.
In this way and using Utilization report by Pool you can have your alerts.
index=_internal [set_local_host
] source=license_usage.log type="RolloverSummary" earliest=-30d@d pool="pool1" | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal [set_local_host
] source=license_usage.log type="RolloverSummary" earliest=-30d@d pool="auto_generated_pool_enterprise" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS "dimensione del gruppo" by _time] | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
Bye.
Giuseppe
Are you saying license groups? We don't want to do that - by using one large pool, we can eliminate some overages.
If you don't want to use License Pool, the only way I see is to associate one or more indexes to a group and sum the license consumption of them using the License usage report.
Bye.
Giuseppe
Right, so I'm looking for help on how to do that in a search, knowing that there will be multiple groups. Also, is there anyway to report on when you are approaching values exceeding a value.
"when you are approaching values exceeding a value" - like the predict command?
No there's a limit (e.g. 80%) and an alert is triggered when this value is reached.
Bye.
Giuseppe
Thanks. I'm looking for alerting on groups of indexers, so the total license usage doesn't really help me.
Go in the Distributed Management Console App and open App alerts
http://xxx.xxx.xxx.xxx:8000/it-IT/app/splunk_management_console/alerts
see only App alerts and open in search the following alert:
"DMC Alert - Total License Usage Near Daily Quota"
this is a good starting point to reach your target.
Bye.
Giuseppe