Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Installation
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: How to view license usage for longer than 30 d...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to view license usage for longer than 30 days?
avalle
Path Finder
08-10-2015
06:41 AM
Hi there!
So I am trying to figure out a way to see the my license usage for longer than thirty days . I opened the report in search and changed earliest=-30d@d in both places, but still does not work...... can anyone help me figure out what I am missing?
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mhammett01
New Member
05-28-2020
02:39 PM
This would be a better search since the source in the internal index only has 30 days of information. The telemetry index pulls in the license summary source which goes back a lot further.
index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach "*"
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-10-2015
10:43 AM
How many days of events exist in _internal? Check and see - you can look at the index settings, or run a search:
index=_internal source=*license_usage.log type="RolloverSummary" earliest=0
| stats count earliest(_time) as earliest_time latest(_time) as latest_time
| eval num_days = round((latest_time - earliest_time)/86400,1)
| eval earliest_time = strftime(earliest_time,"%x %X")
| eval latest_time = strftime(latest_time,"%x %X")
Also, if you run your search over a long time period, you may exceed the subsearch limits in the join.
Get Updates on the Splunk Community!
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
Unleash Unified Security and Observability with Splunk Cloud Platform
Now Available on Microsoft AzureThursday, March 27, 2025 | 11AM PST / 2PM EST | Register NowStep boldly ...
Splunk AppDynamics with Cisco Secure Application
Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
