Installation

How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

andrewjhill
Path Finder

Unfortunately, the Splunk License Usage dashboard only displays the past 30 days of usage data. The usage log belongs to the _internal index and therefore it gets dropped beyond 30 days. After expanding the retention of the _internal index, we still cannot view beyond 30 days using the search outside the dashboard (changing the date/time range and editing the query).

Has anyone else had success with this or have you found alternative ways to view usage data historically?

Labels (1)
0 Karma
1 Solution

andrewjhill
Path Finder

Here's the solution, folks!

Increase the size of the internal index on the license server (change the full domain below):
- https://splunk.your-domain.com:8000/en-US/manager/search/data/indexes
- Increase to ~ 30GB (if you can)

Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100

View solution in original post

andrewjhill
Path Finder

Here's the solution, folks!

Increase the size of the internal index on the license server (change the full domain below):
- https://splunk.your-domain.com:8000/en-US/manager/search/data/indexes
- Increase to ~ 30GB (if you can)

Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100

andrewjhill
Path Finder

Update the local indexes.conf file as well -- example:

/opt/splunk/etc/system/local/indexes.conf
[_internal]
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary
coldPath = $SPLUNK_DB/_internaldb/colddb
homePath = $SPLUNK_DB/_internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxHotSpanSecs = 432000

0 Karma

jackiewkc
Path Finder

Thanks a lot for the information.

0 Karma

jackiewkc
Path Finder

I would like to capture the same information, i.e. license usage beyond the past 30 days. Can you please advise what needs to be done to extend the retention period?

0 Karma

anupkumar
Engager

Can any one help on this,.. as I too have the same issue.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you recently increased the retention time for _internal you will need to wait for data older than 30 days to exist. Also, make sure the size restriction (in MB) allows for enough older data to exist.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What happens if you run this?

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma

andrewjhill
Path Finder

This is did not work FYI. There are still date mentions of earliest with -30d in the query which I adjusted as well. Still no dice.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Work your way back through the search and see what part works and from where on you only see data from the last 30 days.

0 Karma

andrewjhill
Path Finder

Thanks for the response - It's been configured this way for about 60-days now. Additionally, it's got a lot of breathing room for max-size.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...