Security

How to generate a search to obtain a report on licensed users and their Total and Average license usage over a 60 day period?

splgeek
Explorer

How can I generate a SPL search to get data on Splunk licensed users along with their license usage (Total and Average) over a 60 days period?

I have searched Answers and I couldn't find what I was looking for.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

View solution in original post

splgeek
Explorer

Thanks
I got Time , Volume in GB and Stacksize, i dont need stack size

Also how can i further drill down to License usage by users , total and average

I dont have direct access to License master
so i cant use Settings,License Master

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Since Splunks licensing model is based off data indexed and not tied to users, this is not possible. A user cannot consume licenses, the only thing that can consume licenses is by adding more data into Splunk. By average licenses used, can you give me an example of what your looking for? Do you want average license amount consumed per month? Why get averages when you have the total amount per day?

0 Karma

splgeek
Explorer

Sorry got mixed up

Total License Usage over 60 days
based off splunk servers, - extracted field splunk_server

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm still not clear about what you're looking for

Here's a query which will find the average of 60 days worth of data

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | stats avg(volume)
0 Karma

splgeek
Explorer

sorry about the confusion-
some how i am still seeing only last 30 days worth of data only.

Also I want to add to this search the

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Add what to the search?

0 Karma

splgeek
Explorer

add Host info to the search aswell

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Here's licenses usage by host

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx  | search pool="rtg_pool" | timechart span=1d sum(b) AS volumeB by h fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d  | search pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma

splgeek
Explorer

thank you for your time and effort

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!