Monitoring Splunk

Splunk License Usage - Month over Month

moesaidi
Path Finder

We upgraded to 6.5.2 recently and was under the impression that 6.5 keeps license usage history over 30 days (unlike the older 6.2, etc..)

When I check out LURV or try to run a few searches, I can still only see 30 days worth of license usage data.

Has anyone been able to identify a way to generate a report of license usage over, say, the past 6 months to try to determine growth projections and whether additional license will need to be purchased over X months etc.. ?

Any help is appreciated.

Tags (1)
0 Karma

woodcock
Esteemed Legend

If the problem is that events are expiring out of _internal or _telemetry while you still need them and you cannot extend the retention, you can create a summary index (which will be TINY) and schedule a saved search to run nightly that dumps a daily summary and you can search from that.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

In addition to this, you can adjust the retention time of the _internal index. This is where the metrics and license usage data is stored. Extend that to 6 /9 / 12 months etc.
Just be aware of the implications this would have on disk space on your indexers.

0 Karma

moesaidi
Path Finder

I wish I could set _index to over 30 days though like you said, that would use up a lot of disk space.
I was under the impression _telemetry would save licensing data and that by default is kept for 6 months.

0 Karma

woodcock
Esteemed Legend
0 Karma

moesaidi
Path Finder

I've tried this before and now again, even after adjusting the 'earliest' value or using timewrap it only shows me the last 30 days.
It seems to use the _internal index which is only retained for 30 days, but I thought 6.5.x and higher was using _telemetry index for licensing which is stored for 6 months.

Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...