Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

License Utilization Trending

sleathley
Explorer
‎06-08-2012 12:46 PM

I have license pooling implemented and would like to generate a report that would chart utilization per day over the past 30 days. Any ideas on how to do that? I had a report that tracked this for each host before I started pooling, but that doesn't work for the pool.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎01-31-2013 07:39 AM

We have pooling and I try and track our license usage (and trying to trend).

I have a scheduled search that runs at 1am in the morning and writes to a summary index (summary_admin) to speed things up.

Scheduled search:
index=_internal host=LICENSE_SERVER_HOSTNAME earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype

I then run the following search in Advanced Charting:
index=summary_admin earliest=-30d@d latest=@d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals | sort -_time

Without the summary index it takes some time to run.

To back fill the summary index you can use the python script or use the gui and do:

earliest=-2d@d latest=-1d@d index=_internal host=LICENSE_SERVER_HOSTNAME type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype | collect index=summary_admin

Just change earliest and latest by one day at a time.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 12:59 PM

Something like this?

index=_internal source="*license_usage.*" earliest=-30d@d |eval MB=round(b/1024/1024,1)| eval LMB=round(poolsz/1024/1024,1)|timechart span=1d sum(MB) AS Daily_MB values(LMB) AS Limit_MB by pool

That would at least give you an idea of where to start. Other than that you could take a peek on how the searches for the Deployment Monitor are built.

Hope this helps,

Kristian

Reply

sleathley
Explorer
‎06-08-2012 02:53 PM

Yep, I get zero output for that just like my pre-pooling search now produces, which was:
index=_internal host=indexer* todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | bucket _time span=1d | stats avg(Daily_Indexing_Volume_in_MBs) AS UsageMB first(licenseSize) AS LicenseSize by _time host | eval UsagePercent=UsageMB/LicenseSize*100 | eval UsagePercent=round(UsagePercent, 2) | table _time host LicenseSize UsageMB UsagePercent

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...