We decided to centralize all of our Splunk licensing, and my group is now responsible for it (yay, us?). So, we now have one huge license pool, and I need to create some reports for different groups. I need to break down the usage by groups of indexers. How would I do that? Is there any way to assign each group a value, and then report on when they have either gone over it, or even approaching 80% of it?
You can configure one or more groups of license and assign to each one a part of license and define which indexers can use each license group.
In this way and using Utilization report by Pool you can have your alerts.
index=internal [`setlocalhost`] source=*licenseusage.log* type="RolloverSummary" earliest=-30d@d pool="pool1" | eval time=time - 43200 | bin time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=internal [
set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d pool="autogeneratedpoolenterprise" | eval _time=time - 43200 | bin _time span=1d | stats latest(poolsz) AS "dimensione del gruppo" by _time] | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
If you don't want to use License Pool, the only way I see is to associate one or more indexes to a group and sum the license consumption of them using the License usage report.
Right, so I'm looking for help on how to do that in a search, knowing that there will be multiple groups. Also, is there anyway to report on when you are approaching values exceeding a value.
Go in the Distributed Management Console App and open App alerts
see only App alerts and open in search the following alert:
"DMC Alert - Total License Usage Near Daily Quota"
this is a good starting point to reach your target.
I'm pretty sure this is all captured in the Chargeback app. Obviously, you're not talking about doing Chargeback, but there should be reports and lookups to help you manage the mapping for measuring one large pool.