Monitoring Splunk

License Usage per sourcetype

m87
New Member

i use the below search to calculate the license usage per sourcetype :

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"

|stats sum(b) as total_bytes by st
|eval Total_GB = (((total_bytes/1024)/1024)/1024)

but the total usage (850GB) exceeds my license which is 450GB, does this mean that the other (400GB) is not indexed or the search result is wrong ??

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi m87,
for license usage I suggest to use the Splunk dashboards [Settings -- Licensing -- Usage Repors -- Previous 30 days].

Anyway, you can exceed your license until 5 times in 30 days without violation.
If you exceed your license for 5 times or more, you have a violation, but indexing and searching continue as well as no violation and there are only messages of violation.

Until version 6, after 5 violation there was a block of searches but indexing continued, now, there's no blocks, only messages.

For more details, see https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Aboutlicenseviolations

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi m87,
for license usage I suggest to use the Splunk dashboards [Settings -- Licensing -- Usage Repors -- Previous 30 days].

Anyway, you can exceed your license until 5 times in 30 days without violation.
If you exceed your license for 5 times or more, you have a violation, but indexing and searching continue as well as no violation and there are only messages of violation.

Until version 6, after 5 violation there was a block of searches but indexing continued, now, there's no blocks, only messages.

For more details, see https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Aboutlicenseviolations

Ciao.
Giuseppe

0 Karma

m87
New Member

Thank you gcusello for the clarification.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...