Solved: How to get the the Splunk License Usage dashboard ...

andrewjhill · ‎04-15-2016

Unfortunately, the Splunk License Usage dashboard only displays the past 30 days of usage data. The usage log belongs to the _internal index and therefore it gets dropped beyond 30 days. After expanding the retention of the _internal index, we still cannot view beyond 30 days using the search outside the dashboard (changing the date/time range and editing the query).

Has anyone else had success with this or have you found alternative ways to view usage data historically?

andrewjhill · ‎10-25-2017

Here's the solution, folks!

Increase the size of the internal index on the license server (change the full domain below):
- https://splunk.your-domain.com:8000/en-US/manager/search/data/indexes
- Increase to ~ 30GB (if you can)

Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100

View solution in original post

andrewjhill · ‎10-25-2017

Here's the solution, folks!

Increase the size of the internal index on the license server (change the full domain below):
- https://splunk.your-domain.com:8000/en-US/manager/search/data/indexes
- Increase to ~ 30GB (if you can)

Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100

andrewjhill · ‎10-25-2017

Update the local indexes.conf file as well -- example:

/opt/splunk/etc/system/local/indexes.conf
[_internal]
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary
coldPath = $SPLUNK_DB/_internaldb/colddb
homePath = $SPLUNK_DB/_internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxHotSpanSecs = 432000

jackiewkc · ‎10-25-2017

Thanks a lot for the information.

jackiewkc · ‎10-25-2017

I would like to capture the same information, i.e. license usage beyond the past 30 days. Can you please advise what needs to be done to extend the retention period?

anupkumar · ‎05-20-2020

Can any one help on this,.. as I too have the same issue.

martin_mueller · ‎04-15-2016

If you recently increased the retention time for _internal you will need to wait for data older than 30 days to exist. Also, make sure the size restriction (in MB) allows for enough older data to exist.

martin_mueller · ‎04-20-2016

What happens if you run this?

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

andrewjhill · ‎06-01-2016

This is did not work FYI. There are still date mentions of earliest with -30d in the query which I adjusted as well. Still no dice.

martin_mueller · ‎06-03-2016

Work your way back through the search and see what part works and from where on you only see data from the last 30 days.

andrewjhill · ‎04-18-2016

Thanks for the response - It's been configured this way for about 60-days now. Additionally, it's got a lot of breathing room for max-size.

How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

license

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...