Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Installation
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- How to view license usage for longer than 30 days?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to view license usage for longer than 30 days?
avalle
Path Finder
08-10-2015
06:41 AM
Hi there!
So I am trying to figure out a way to see the my license usage for longer than thirty days . I opened the report in search and changed earliest=-30d@d in both places, but still does not work...... can anyone help me figure out what I am missing?
index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mhammett01
New Member
05-28-2020
02:39 PM
This would be a better search since the source in the internal index only has 30 days of information. The telemetry index pulls in the license summary source which goes back a lot further.
index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_telemetry host=csh-vm source=*license_usage_summary.log* type="RolloverSummary" earliest=-190d@d
| eval _time=_time - 273600
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach "*"
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-10-2015
10:43 AM
How many days of events exist in _internal? Check and see - you can look at the index settings, or run a search:
index=_internal source=*license_usage.log type="RolloverSummary" earliest=0
| stats count earliest(_time) as earliest_time latest(_time) as latest_time
| eval num_days = round((latest_time - earliest_time)/86400,1)
| eval earliest_time = strftime(earliest_time,"%x %X")
| eval latest_time = strftime(latest_time,"%x %X")
Also, if you run your search over a long time period, you may exceed the subsearch limits in the join.
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
