how can we get Splunk license % usage data over long period of time? The following query only gives us last 2 months of data:
index=_internal source="license_usage.log" type=usage idx=""
| eval MB = round(b/1024/1024,2)
| timechart span=1d sum(MB) by idx
| addtotals
(I assume you are referring to the ingest based license model here)
If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry
index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.
Here is the query used on that page:
(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary")
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=true
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB
| fields - GB, volume
HI @sdintino [Splunk],
you could also plan to schedule the following search to be execute every night at 23.59:
| rest splunk_server=local /services/licenser/pools
| stats sum(used_bytes) as used
| eval usedGB=round(used/1024/1024/1024,3)
| summary index=license_consuption
and save it in a summary index with a retention of 60 days.
Ciao.
Giuseppe
(I assume you are referring to the ingest based license model here)
If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry
index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.
Here is the query used on that page:
(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary")
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=true
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB
| fields - GB, volume
License usage information is limited to the retention period of your _internal index. By default, that is 30 days, but your environment may be set to 60 days.