Monitoring Splunk

how can we get Splunk license % usage data over long period of time? (>60 days)

sdintino_splunk
Splunk Employee
Splunk Employee

how can we get Splunk license % usage data over long period of time? The following query only gives us last 2 months of data:

index=_internal source="license_usage.log" type=usage idx=""
| eval MB = round(b/1024/1024,2)
| timechart span=1d sum(MB) by idx
| addtotals

Labels (1)
0 Karma
1 Solution

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

View solution in original post

gcusello
SplunkTrust
SplunkTrust

HI @sdintino [Splunk],
you could also plan to schedule the following search to be execute every night at 23.59:

| rest splunk_server=local /services/licenser/pools 
| stats sum(used_bytes) as used 
| eval usedGB=round(used/1024/1024/1024,3) 
| summary index=license_consuption

and save it in a summary index with a retention of 60 days.

Ciao.
Giuseppe

jtuchscherer_sp
Splunk Employee
Splunk Employee

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

richgalloway
SplunkTrust
SplunkTrust

License usage information is limited to the retention period of your _internal index. By default, that is 30 days, but your environment may be set to 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...