Installation
Highlighted

How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Explorer

Unfortunately, the Splunk License Usage dashboard only displays the past 30 days of usage data. The usage log belongs to the _internal index and therefore it gets dropped beyond 30 days. After expanding the retention of the _internal index, we still cannot view beyond 30 days using the search outside the dashboard (changing the date/time range and editing the query).

Has anyone else had success with this or have you found alternative ways to view usage data historically?

Labels (1)
0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

SplunkTrust
SplunkTrust

If you recently increased the retention time for _internal you will need to wait for data older than 30 days to exist. Also, make sure the size restriction (in MB) allows for enough older data to exist.

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Explorer

Thanks for the response - It's been configured this way for about 60-days now. Additionally, it's got a lot of breathing room for max-size.

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

SplunkTrust
SplunkTrust

What happens if you run this?

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Explorer

This is did not work FYI. There are still date mentions of earliest with -30d in the query which I adjusted as well. Still no dice.

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

SplunkTrust
SplunkTrust

Work your way back through the search and see what part works and from where on you only see data from the last 30 days.

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Path Finder

I would like to capture the same information, i.e. license usage beyond the past 30 days. Can you please advise what needs to be done to extend the retention period?

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Engager

Can any one help on this,.. as I too have the same issue.

0 Karma
Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Explorer

Here's the solution, folks!

Increase the size of the internal index on the license server (change the full domain below):
- https://splunk.your-domain.com:8000/en-US/manager/search/data/indexes
- Increase to ~ 30GB (if you can)

Make a dashboard with this query (change the license amount to anything you want, then set it to overlay):
index=_internal source=*license_usage.log type="RolloverSummary" | timechart sum(eval(round(b/1024/1024/1024))) AS GB | eval license = 100

View solution in original post

Highlighted

Re: How to get the the Splunk License Usage dashboard to display license usage beyond 30 days?

Explorer

Update the local indexes.conf file as well -- example:

/opt/splunk/etc/system/local/indexes.conf
[internal]
maxTotalDataSizeMB = 30720
maxDataSize = 1000
tstatsHomePath = volume:
splunksummaries/internaldb/datamodelsummary
coldPath = $SPLUNK
DB/internaldb/colddb
homePath = $SPLUNK
DB/internaldb/db
frozenTimePeriodInSecs = 31104000
thawedPath = $SPLUNK
DB/_internaldb/thaweddb
maxHotSpanSecs = 432000

0 Karma