Unfortunately, the Splunk License Usage dashboard only displays the past 30 days of usage data. The usage log belongs to the _internal index and therefore it gets dropped beyond 30 days. After expanding the retention of the _internal index, we still cannot view beyond 30 days using the search outside the dashboard (changing the date/time range and editing the query).
Has anyone else had success with this or have you found alternative ways to view usage data historically?
If you recently increased the retention time for _internal you will need to wait for data older than 30 days to exist. Also, make sure the size restriction (in MB) allows for enough older data to exist.
Thanks for the response - It's been configured this way for about 60-days now. Additionally, it's got a lot of breathing room for max-size.
What happens if you run this?
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
This is did not work FYI. There are still date mentions of earliest with -30d in the query which I adjusted as well. Still no dice.
Work your way back through the search and see what part works and from where on you only see data from the last 30 days.
I would like to capture the same information, i.e. license usage beyond the past 30 days. Can you please advise what needs to be done to extend the retention period?
Here's the solution, folks!
Increase the size of the internal index on the license server (change the full domain below):
- Increase to ~ 30GB (if you can)
Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100
Update the local indexes.conf file as well -- example:
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:splunksummaries/internaldb/datamodelsummary
coldPath = $SPLUNKDB/internaldb/colddb
homePath = $SPLUNKDB/internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNKDB/_internaldb/thaweddb
maxHotSpanSecs = 432000