Installation

How to view license usage for longer than 30 days?

avalle
Path Finder

Hi there!

So I am trying to figure out a way to see the my license usage for longer than thirty days . I opened the report in search and changed earliest=-30d@d in both places, but still does not work...... can anyone help me figure out what I am missing?

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d   
| eval _time=_time - 43200 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | stats latest(stacksz) AS "stack size" by _time] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Labels (1)
0 Karma

mhammett01
New Member

This would be a better search since the source in the internal index only has 30 days of information. The telemetry index pulls in the license summary source which goes back a lot further.

index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d 
| eval _time=_time - 273600 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time 
    [ search index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d 
    | eval _time=_time - 273600 
    | bin _time span=1d 
    | dedup _time stack 
    | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma

lguinn2
Legend

How many days of events exist in _internal? Check and see - you can look at the index settings, or run a search:

index=_internal source=*license_usage.log type="RolloverSummary" earliest=0
| stats count earliest(_time) as earliest_time latest(_time) as latest_time
| eval num_days = round((latest_time - earliest_time)/86400,1)
| eval earliest_time = strftime(earliest_time,"%x %X")
| eval latest_time = strftime(latest_time,"%x %X")

Also, if you run your search over a long time period, you may exceed the subsearch limits in the join.

Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...