Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get License limit

lux209
Explorer
‎03-31-2025 02:01 AM

Hello,

I'm building a search to get alerted when we go over the license. I have a search that is working well to get the license usage and get alert when it goes over the 300GB license:


index=_internal source=*license_usage.log type=Usage pool=* | eval _time=strftime(_time,"%m-%d-%y") | stats sum(b) as ub by _time | eval ub=round(ub/1024/1024/1024,3) | eval _time=strptime(_time,"%m-%d-%y") | sort _time | eval _time=strftime(_time,"%m-%d-%y") | rename _time as Date ub as "Daily License Quota Used" | where 'Daily License Quota Used' > 300

But here as you can see I did set the 300GB limit manually in the search. Is there a way to get this info from Splunk directly ? I see that in the CMC it use `sim_licensing_limit` to get the info, but this doesn't work when doing a search outside the CMC.

Thanks !

Lucas

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎04-02-2025 01:46 PM

This seems to work on search app 

index=_internal source=*license_usage.log* (host=*.splunk*.* NOT (host=sh-* host=*.splunk*.*)) TERM("type=RolloverSummary") 
| rex field=_raw "^(?<timestring>\d\d-\d\d-\d{4}\s\d\d:\d\d:\d\d.\d{3}\s\+\d{4})" 
| eval _time=strptime(timestring,"%m-%d-%Y %H:%M:%S.%N%z") 
| eval z=strftime(now(),"%z") 
| eval m=substr(z,-2) 
| eval h=substr(z,2,2) 
| eval mzone=if(z != 0, ((h*60)+m)*(z/abs(z)), 0) 
| eval min_to_utc=-1440-mzone 
| eval rel_time=min_to_utc."m" 
| eval _time=relative_time(_time, rel_time) + 1 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| eval GB=round(volume/pow(2,30),3) 
| append 
    [| search (index=_cmc_summary OR index=summary) source="splunk-entitlements" 
    | rex field=host "^[^.]+[.](?<stack>[^.]+)" 
    | search 
        [| rest /services/server/info splunk_server=local 
        | fields splunk_server 
        | rex field=splunk_server "^[^.]+[.](?<stack>[^.]+)" 
        | fields stack] 
    | rex field=_raw "^(?<timestring>\d\d/\d\d/\d{4}\s\d\d:\d\d:\d\d\s\+\d{4})" 
    | eval _time=strptime(timestring,"%m/%d/%Y %H:%M:%S %z") 
    | eval z=strftime(now(),"%z") 
    | eval m=substr(z,-2) 
    | eval h=substr(z,2,2) 
    | eval mzone=if(z != 0, ((h*60)+m)*(z/abs(z)), 0) 
    | eval min_to_utc=-1440-mzone 
    | eval rel_time=min_to_utc."m" 
    | eval _time=relative_time(_time, rel_time) 
    | bin _time span=1d 
    | stats max(ingest_license) as "license limit" by _time] 
| stats values(*) as * by _time 
| fields - volume

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎04-02-2025 01:42 PM
You can use Ctrl+Shift+e to expand macros on SPL window. Or use Cmd+Shift+e on macOS.
In that way you can expand your CMC's query in CMC app and then copy+modify those in your own app.
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎04-02-2025 01:46 PM

This seems to work on search app 

index=_internal source=*license_usage.log* (host=*.splunk*.* NOT (host=sh-* host=*.splunk*.*)) TERM("type=RolloverSummary") 
| rex field=_raw "^(?<timestring>\d\d-\d\d-\d{4}\s\d\d:\d\d:\d\d.\d{3}\s\+\d{4})" 
| eval _time=strptime(timestring,"%m-%d-%Y %H:%M:%S.%N%z") 
| eval z=strftime(now(),"%z") 
| eval m=substr(z,-2) 
| eval h=substr(z,2,2) 
| eval mzone=if(z != 0, ((h*60)+m)*(z/abs(z)), 0) 
| eval min_to_utc=-1440-mzone 
| eval rel_time=min_to_utc."m" 
| eval _time=relative_time(_time, rel_time) + 1 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| eval GB=round(volume/pow(2,30),3) 
| append 
    [| search (index=_cmc_summary OR index=summary) source="splunk-entitlements" 
    | rex field=host "^[^.]+[.](?<stack>[^.]+)" 
    | search 
        [| rest /services/server/info splunk_server=local 
        | fields splunk_server 
        | rex field=splunk_server "^[^.]+[.](?<stack>[^.]+)" 
        | fields stack] 
    | rex field=_raw "^(?<timestring>\d\d/\d\d/\d{4}\s\d\d:\d\d:\d\d\s\+\d{4})" 
    | eval _time=strptime(timestring,"%m/%d/%Y %H:%M:%S %z") 
    | eval z=strftime(now(),"%z") 
    | eval m=substr(z,-2) 
    | eval h=substr(z,2,2) 
    | eval mzone=if(z != 0, ((h*60)+m)*(z/abs(z)), 0) 
    | eval min_to_utc=-1440-mzone 
    | eval rel_time=min_to_utc."m" 
    | eval _time=relative_time(_time, rel_time) 
    | bin _time span=1d 
    | stats max(ingest_license) as "license limit" by _time] 
| stats values(*) as * by _time 
| fields - volume
Reply
Solved! Jump to solution

cfcvendorsuppor
Explorer
‎04-03-2025 12:14 AM

Hi isoutamo,

Thank you for the tips regarding the CMC to get the macro !

I tested your query and it is working  well ! Thank you for this, I will review it to fully understand it 🙂

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-31-2025 03:30 AM

Hi @lux209 ,

You're on the right track with your search, to dynamically retrieve the license limit within your search, you can leverage the license_usage.log itself, which contains details about the license limits.

You can modify your search to include the license limit by incorporating the type=RolloverSummary data in the license_usage.log. This type includes both the daily license usage and the daily license limits. Here's how you can adjust your search:

 

index=_internal source=*license_usage.log type=RolloverSummary host=macdev
| stats latest(poolsz) as total_license_limit_gb, sum(b) as total_usage_bytes by _time
| eval total_usage_gb=round(total_usage_bytes/1024/1024/1024,3)
| rename _time as Date total_usage_gb as "Daily License Usage", total_license_limit_gb as "Daily License Limit"
| where 'Daily License Usage' > 'Daily License Limit'

 

Key Points:

    1. type=RolloverSummary: This record type provides a summary of the license usage and limits for each pool.
    2. poolsz field: Represents the total license limit for the day in bytes, which you convert to GB.
    3. Dynamic Limits: By using this field, you avoid hardcoding the license limit in your alert.

Consider setting up alerts not only when the limit is exceeded but also when usage approaches a certain percentage of the limit (e.g., 80-90%) to give you more lead time to react.

For further details and best practices, you can refer to the Splunk Documentation on License Usage and License Monitoring.

 

🌟Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

lux209
Explorer
‎03-31-2025 06:50 AM

Hi livehybrid,

Thanks you for your help and the information !

I did some test and it is looking promising, I just have an issue with the poolsz field, the value I get for total_license_limit_gb or "Daily License Limit" is 18446744073709551615 and my license limit is 300GB.

Do I need to change someting to get the 300GB limit ? I guess this is something around ", sum(b) as total_usage_bytes by _time" to change but I'm not sure what ?

 

Thank you !

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-31-2025 08:58 AM

Hi @lux209 

wow - 18446744073709551615 is presumably an error somewhere! I realised I left my host=macdev in the previous search but guess you noticed and fixed that 🙂 
If you have a distributed environment then you should set host=<YourLicenseServer> - which makes me wonder - are you in Splunk Cloud? 

If you're in Splunk Cloud then the license limit might be measured slightly differently (and might explain the "16384 petabyte" poolsz value 😂

Either way, at this point you might be best with the following:

index=_internal source=*license_usage.log type=RolloverSummary 
| stats latest(poolsz) as total_license_limit_gb, sum(b) as total_usage_bytes by _time
| eval total_usage_gb=round(total_usage_bytes/1024/1024/1024,3)
| rename _time as Date total_usage_gb as "Daily License Usage"
| eval limitGB=300
| where 'Daily License Usage' > limitGB

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

lux209
Explorer
‎03-31-2025 11:57 PM

Hi livehybrid,

Yes I did change the host=macdev in my test, and you are correct I forgot to mention that I'm testing this in Splunk Cloud, for the on prem infra I'm just looking for the default license alert messages in the internal logs as it already contain the information when the we exceed the license, but this doesn't work on the cloud.

I tested your query, it is working perfectly and it is much faster than my initial query.

Would it be complicated to dynamically get the license limit information on the cloud ? I see that the CMC has it with `sim_licensing_limit` but it is not usable outside the CMC..

Thanks !

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-01-2025 01:44 AM

Hi @lux209 

If you want to dynamically pull in your ingest license on Splunk Cloud then you can use the following:

index IN (_cmc_summary, summary) sourcetype=splunk-entitlements | table _time ingest_license

Below is an update to the original search to include this:

index=_internal source=*license_usage.log type=RolloverSummary 
| append [search index IN (_cmc_summary, summary) sourcetype=splunk-entitlements | table _time ingest_license] 
| stats latest(ingest_license) as total_license_limit_gb, sum(b) as total_usage_bytes by _time
| eval total_usage_gb=round(total_usage_bytes/1024/1024/1024,3)
| rename _time as Date total_usage_gb as "Daily License Usage"
| where 'Daily License Usage' > total_license_limit_gb

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply
Solved! Jump to solution

lux209
Explorer
‎04-01-2025 06:13 AM

Hello,

Interesting, I had to adapt a bit the limit query, the source type did not exist on my side:
index IN (_cmc_summary, summary) ingest_license=* | table _time ingest_license

I tried the search but it is not working, I either have a value in the total_license_limit_gb column or in the Daily License Usage but not both at the same time. So the last Where cannot do the test.

Here is the result classified by the daily usage:
daily.png

And classified by the Limit:
limit.png

I tried to do the search differently and also use poolsz but without luck.

Any idea ?

Thank you again for you great help

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...