Monitoring Splunk

how can we get Splunk license % usage data over long period of time? (>60 days)

sdintino_splunk
Splunk Employee
Splunk Employee

how can we get Splunk license % usage data over long period of time? The following query only gives us last 2 months of data:

index=_internal source="license_usage.log" type=usage idx=""
| eval MB = round(b/1024/1024,2)
| timechart span=1d sum(MB) by idx
| addtotals

Labels (1)
0 Karma
1 Solution

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

View solution in original post

gcusello
SplunkTrust
SplunkTrust

HI @sdintino [Splunk],
you could also plan to schedule the following search to be execute every night at 23.59:

| rest splunk_server=local /services/licenser/pools 
| stats sum(used_bytes) as used 
| eval usedGB=round(used/1024/1024/1024,3) 
| summary index=license_consuption

and save it in a summary index with a retention of 60 days.

Ciao.
Giuseppe

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

richgalloway
SplunkTrust
SplunkTrust

License usage information is limited to the retention period of your _internal index. By default, that is 30 days, but your environment may be set to 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...