Monitoring Splunk

how can we get Splunk license % usage data over long period of time? (>60 days)

sdintino_splunk
Splunk Employee
Splunk Employee

how can we get Splunk license % usage data over long period of time? The following query only gives us last 2 months of data:

index=_internal source="license_usage.log" type=usage idx=""
| eval MB = round(b/1024/1024,2)
| timechart span=1d sum(MB) by idx
| addtotals

Labels (1)
0 Karma
1 Solution

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

View solution in original post

gcusello
Esteemed Legend

HI @sdintino [Splunk],
you could also plan to schedule the following search to be execute every night at 23.59:

| rest splunk_server=local /services/licenser/pools 
| stats sum(used_bytes) as used 
| eval usedGB=round(used/1024/1024/1024,3) 
| summary index=license_consuption

and save it in a summary index with a retention of 60 days.

Ciao.
Giuseppe

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

richgalloway
SplunkTrust
SplunkTrust

License usage information is limited to the retention period of your _internal index. By default, that is 30 days, but your environment may be set to 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...