Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

License Utilization Trending

sleathley
Explorer
‎06-08-2012 12:46 PM

I have license pooling implemented and would like to generate a report that would chart utilization per day over the past 30 days. Any ideas on how to do that? I had a report that tracked this for each host before I started pooling, but that doesn't work for the pool.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎01-31-2013 07:39 AM

We have pooling and I try and track our license usage (and trying to trend).

I have a scheduled search that runs at 1am in the morning and writes to a summary index (summary_admin) to speed things up.

Scheduled search:
index=_internal host=LICENSE_SERVER_HOSTNAME earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype

I then run the following search in Advanced Charting:
index=summary_admin earliest=-30d@d latest=@d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals | sort -_time

Without the summary index it takes some time to run.

To back fill the summary index you can use the python script or use the gui and do:

earliest=-2d@d latest=-1d@d index=_internal host=LICENSE_SERVER_HOSTNAME type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype | collect index=summary_admin

Just change earliest and latest by one day at a time.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 12:59 PM

Something like this?

index=_internal source="*license_usage.*" earliest=-30d@d |eval MB=round(b/1024/1024,1)| eval LMB=round(poolsz/1024/1024,1)|timechart span=1d sum(MB) AS Daily_MB values(LMB) AS Limit_MB by pool

That would at least give you an idea of where to start. Other than that you could take a peek on how the searches for the Deployment Monitor are built.

Hope this helps,

Kristian

Reply

sleathley
Explorer
‎06-08-2012 02:53 PM

Yep, I get zero output for that just like my pre-pooling search now produces, which was:
index=_internal host=indexer* todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | bucket _time span=1d | stats avg(Daily_Indexing_Volume_in_MBs) AS UsageMB first(licenseSize) AS LicenseSize by _time host | eval UsagePercent=UsageMB/LicenseSize*100 | eval UsagePercent=round(UsagePercent, 2) | table _time host LicenseSize UsageMB UsagePercent

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...