Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how can we get Splunk license % usage data over long period of time? (>60 days)

sdintino_splunk
Splunk Employee
Splunk Employee
‎06-01-2020 10:19 AM

how can we get Splunk license % usage data over long period of time? The following query only gives us last 2 months of data:

index=_internal source="license_usage.log" type=usage idx=""
| eval MB = round(b/1024/1024,2)
| timechart span=1d sum(MB) by idx
| addtotals

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtuchscherer_sp
Splunk Employee
Splunk Employee
‎06-01-2020 03:57 PM

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-02-2020 01:38 AM

HI @sdintino [Splunk],
you could also plan to schedule the following search to be execute every night at 23.59:

| rest splunk_server=local /services/licenser/pools 
| stats sum(used_bytes) as used 
| eval usedGB=round(used/1024/1024/1024,3) 
| summary index=license_consuption

and save it in a summary index with a retention of 60 days.

Ciao.
Giuseppe

Reply
Solved! Jump to solution
Solution

jtuchscherer_sp
Splunk Employee
Splunk Employee
‎06-01-2020 03:57 PM

(I assume you are referring to the ingest based license model here)

If you are in a Splunk managed Splunk Cloud environment, you can take a look at the Volume License dashboard that is part of the Cloud Monitoring Console. On that dashboard, the _telemetry index is used. That index typically has a retention period of 720 days, so you should be able to go back past 2 months.

Here is the query used on that page:

(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=true 
| eval GB=round((((volume / 1024) / 1024) / 1024),3), Volume=GB 
| fields - GB, volume
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 10:40 AM

License usage information is limited to the retention period of your _internal index. By default, that is 30 days, but your environment may be set to 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...