Installation

How to get the License usage by host - (with a license master-slave setup)

splunker12er
Motivator

Deployment Setup:

License Master Server -1
********************
Splunk Indexer     - 2
Splunk Search head - 1
Heavy Forwarder    - 2

I have pointed all the instance to my license master server.
currently , I do calculate the daily license usage of splunk by Indexers , by running the below query in License Master Server :

index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f

Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.

query 1:

I would need to monitor the license usage by hosts. where should I run the query ?
Every splunk instance has the license_usage.log file, does all the files captures the usage ?

Do I need to run the below query in each indexers and the total sum ? What is the right way ?

License usage by host :

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Tags (3)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi splunker12er,

this is how I would do it:

hope this helps ...

cheers, MuS

View solution in original post

yannK
Splunk Employee
Splunk Employee

Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.

What are the index/source/sourcetype of those events from the SH/HFWD ?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi splunker12er,

this is how I would do it:

hope this helps ...

cheers, MuS

View solution in original post

splunker12er
Motivator

Okay. If I forward all the splunk instances _internal logs to my 2 indexers.,

  1. First of all when I forward _internal logs of splunk instances to indexer - they will get indexed in indexer which consumes license volume
  2. To which index I should forward ? (_internal ?) 3a. If I should not use license query against metrics.log on the search head ., what is the source that I should use to run the query ? 3b. what is the concept in moving the other splunk instances log to central indexers ?
0 Karma

MuS
SplunkTrust
SplunkTrust

to answer this shortly...

  1. no, they will not consume license volume
  2. your _internal events will be forwarded by default to index _internal 3a. Use the license_usage.log index=_internal source="*license_usage.log" or change the setting for metrics.log ( http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf ) 3b. This way you can search all the internal logs from the search head for troubleshooting reasons or any other use case you need to search any of the others Splunk instances logs.

splunker12er
Motivator

Excellant..Thank you MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi, please mark this as answered if it answers your question...you're not only helping others by marking this as answered, but you will also get some karma as well 😉

0 Karma

splunker12er
Motivator

this is very much accpeted ...;)

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!