Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License Utilization Trending

sleathley
Explorer
‎06-08-2012 12:46 PM

I have license pooling implemented and would like to generate a report that would chart utilization per day over the past 30 days. Any ideas on how to do that? I had a report that tracked this for each host before I started pooling, but that doesn't work for the pool.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎01-31-2013 07:39 AM

We have pooling and I try and track our license usage (and trying to trend).

I have a scheduled search that runs at 1am in the morning and writes to a summary index (summary_admin) to speed things up.

Scheduled search:
index=_internal host=LICENSE_SERVER_HOSTNAME earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype

I then run the following search in Advanced Charting:
index=summary_admin earliest=-30d@d latest=@d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals | sort -_time

Without the summary index it takes some time to run.

To back fill the summary index you can use the python script or use the gui and do:

earliest=-2d@d latest=-1d@d index=_internal host=LICENSE_SERVER_HOSTNAME type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype | collect index=summary_admin

Just change earliest and latest by one day at a time.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 12:59 PM

Something like this?

index=_internal source="*license_usage.*" earliest=-30d@d |eval MB=round(b/1024/1024,1)| eval LMB=round(poolsz/1024/1024,1)|timechart span=1d sum(MB) AS Daily_MB values(LMB) AS Limit_MB by pool

That would at least give you an idea of where to start. Other than that you could take a peek on how the searches for the Deployment Monitor are built.

Hope this helps,

Kristian

Reply

sleathley
Explorer
‎06-08-2012 02:53 PM

Yep, I get zero output for that just like my pre-pooling search now produces, which was:
index=_internal host=indexer* todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | bucket _time span=1d | stats avg(Daily_Indexing_Volume_in_MBs) AS UsageMB first(licenseSize) AS LicenseSize by _time host | eval UsagePercent=UsageMB/LicenseSize*100 | eval UsagePercent=round(UsagePercent, 2) | table _time host LicenseSize UsageMB UsagePercent

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...