Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search to obtain a report on licensed users and their Total and Average license usage over a 60 day period?

splgeek
Explorer
‎10-19-2016 07:22 AM

How can I generate a SPL search to get data on Splunk licensed users along with their license usage (Total and Average) over a 60 days period?

I have searched Answers and I couldn't find what I was looking for.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:27 AM

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:27 AM

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 07:34 AM

Thanks
I got Time , Volume in GB and Stacksize, i dont need stack size

Also how can i further drill down to License usage by users , total and average

I dont have direct access to License master
so i cant use Settings,License Master

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:39 AM

Since Splunks licensing model is based off data indexed and not tied to users, this is not possible. A user cannot consume licenses, the only thing that can consume licenses is by adding more data into Splunk. By average licenses used, can you give me an example of what your looking for? Do you want average license amount consumed per month? Why get averages when you have the total amount per day?

0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 07:48 AM

Sorry got mixed up

Total License Usage over 60 days
based off splunk servers, - extracted field splunk_server

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:09 AM

I'm still not clear about what you're looking for

Here's a query which will find the average of 60 days worth of data 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | stats avg(volume)
0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 08:13 AM

sorry about the confusion-
some how i am still seeing only last 30 days worth of data only.

Also I want to add to this search the

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:34 AM

Add what to the search?

0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 08:37 AM

add Host info to the search aswell

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:40 AM

Here's licenses usage by host 

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx  | search pool="rtg_pool" | timechart span=1d sum(b) AS volumeB by h fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d  | search pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 01:20 PM

thank you for your time and effort

0 Karma
Reply
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...