Hi @gcusello 

I forgot to mention it, our Splunk is associated with other remote Splunk master so that option is not available for us.

When I try to go to that page, I received the following message

This server is associated with a remote master license server

any other way to get the same information from a "slave" splunk?

thanks

Jose

Hi @corti77,

Have you access to the Splunk Monitor Console?

if yes, you have the same information.

If not, you can use the following search

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false  
| join type=outer _time [ search 
     index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
     | eval _time=_time - 43200 
     | bin _time span=1d 
     | dedup _time stack 
     | stats sum(stacksz) AS "stack size" by _time
     ] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

but you need to access the _internal index.

Ciao.

Giuseppe

Hi @corti77 

try this search

index=_internal source=*license_usage.log type="Usage" splunk_server=* earliest=-1w@d | eval Date=strftime(_time, "%Y/%m/%d") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5)| timechart first(MB) AS volume by idx

hope can help

thanks but I have no access to license_usage.log. our splunk depends to a master splunk and it might be not properly configured 😕

Hi,

I tried that option Settings -> monitoring console --> Indexing-> license usage-> license usage - today

and it simply says "No results found"

I also tried your query but I didnt get any event either. I have access to _internal index but the source "license_usage.log" does not seem to be accessible. 

Cheers

jose

Hi @corti77,

This means that the License Master isn't configured (wrong!) to send it's internal logs to the Indexers.

In this case there isn't any solution to your problem without changing something:

• you (or someone else in your organization) have to configure the License Master to send internal logs to the Indexers;
• you have to be enabled to access the License Server.

Ciao.

Giuseppe

Hi @gcusello 

finally I changed the approach and I tried to find which host was indexing more data, and from there, identify which index was "consuming" the splunk license.

the query that make the magic was

index=_internal sourcetype=splunkd group=per_host_thruput earliest=-1mon@mon latest=@mon | bucket _time span=1d | stats sum(kb) as total by series,_time | stats avg(total) as average by series
|eval averageMB=round(average/1024,2)
|fields - average
|rename series as "Host Server",averageMB as "Average size per day in MB" 

I hope it can help someone else.

Cheers