Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Installation
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: How to view license usage for longer than 30 d...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to view license usage for longer than 30 days?
avalle
Path Finder
08-10-2015
06:41 AM
Hi there!
So I am trying to figure out a way to see the my license usage for longer than thirty days . I opened the report in search and changed earliest=-30d@d in both places, but still does not work...... can anyone help me figure out what I am missing?
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mhammett01
New Member
05-28-2020
02:39 PM
This would be a better search since the source in the internal index only has 30 days of information. The telemetry index pulls in the license summary source which goes back a lot further.
index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach "*"
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-10-2015
10:43 AM
How many days of events exist in _internal? Check and see - you can look at the index settings, or run a search:
index=_internal source=*license_usage.log type="RolloverSummary" earliest=0
| stats count earliest(_time) as earliest_time latest(_time) as latest_time
| eval num_days = round((latest_time - earliest_time)/86400,1)
| eval earliest_time = strftime(earliest_time,"%x %X")
| eval latest_time = strftime(latest_time,"%x %X")
Also, if you run your search over a long time period, you may exceed the subsearch limits in the join.
Get Updates on the Splunk Community!
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
