Monitoring Splunk
Highlighted

Splunk license warnings are based on type=Usage or type=RollOverSummary?

Influencer

Hi,

The Splunk warnings that we see in license master - is it based on license_usage log's type=Usage or type=RollOverSummary?

Earlier i had raised a different question on these types - https://answers.splunk.com/answers/397911/what-is-the-difference-between-rolloversummary-and.html

The splunk documentation or splunk wiki doesn't talk much about the differences between these types?

Could you please help to understand this better.

Thanks,
Mahesh

Highlighted

Re: Splunk license warnings are based on type=Usage or type=RollOverSummary?

Champion

Updated -
We need to use type="RolloverSummary" only.

Navigate path, to go to Licensing Page -
Settings -> Distributed Management Console -> (3rd tab) Indexing -> Licensing

last 30 days daily volume

index=_internal  source=*license_usage.log type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal  source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma