Deployment Setup:
License Master Server -1
********************
Splunk Indexer - 2
Splunk Search head - 1
Heavy Forwarder - 2
I have pointed all the instance to my license master server.
currently , I do calculate the daily license usage of splunk by Indexers , by running the below query in License Master Server :
index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f
Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.
query 1:
I would need to monitor the license usage by hosts. where should I run the query ?
Every splunk instance has the license_usage.log file, does all the files captures the usage ?
Do I need to run the below query in each indexers and the total sum ? What is the right way ?
License usage by host :
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Hi splunker12er,
this is how I would do it:
License Usage
view on the license Master to get an overview http[s]://splunk-url:splunkport/en-GB/manager/search/licenseusage#historyTab
hope this helps ...
cheers, MuS
Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.
What are the index/source/sourcetype of those events from the SH/HFWD ?
Hi splunker12er,
this is how I would do it:
License Usage
view on the license Master to get an overview http[s]://splunk-url:splunkport/en-GB/manager/search/licenseusage#historyTab
hope this helps ...
cheers, MuS
Okay. If I forward all the splunk instances _internal logs to my 2 indexers.,
to answer this shortly...
_internal
events will be forwarded by default to index _internal
3a. Use the license_usage.log index=_internal source="*license_usage.log"
or change the setting for metrics.log ( http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf )
3b. This way you can search all the internal logs from the search head for troubleshooting reasons or any other use case you need to search any of the others Splunk instances logs.Excellant..Thank you MuS
Hi, please mark this as answered if it answers your question...you're not only helping others by marking this as answered, but you will also get some karma as well 😉
this is very much accpeted ...;)