Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search to obtain a report on licensed users and their Total and Average license usage over a 60 day period?

splgeek
Explorer
‎10-19-2016 07:22 AM

How can I generate a SPL search to get data on Splunk licensed users along with their license usage (Total and Average) over a 60 days period?

I have searched Answers and I couldn't find what I was looking for.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:27 AM

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:27 AM

Go to Settings>Licensing >Usage report > Previous 30 days > Open in search > Time range picker for past 60 days

Or do this 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Reply
Solved! Jump to solution

TrangCIC81
Communicator
‎09-06-2023 06:26 PM

Hi,

I have the same problem here. Tried to set it to 60 days but it only shows 30 day data by using your spl.

0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 07:34 AM

Thanks
I got Time , Volume in GB and Stacksize, i dont need stack size

Also how can i further drill down to License usage by users , total and average

I dont have direct access to License master
so i cant use Settings,License Master

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 07:39 AM

Since Splunks licensing model is based off data indexed and not tied to users, this is not possible. A user cannot consume licenses, the only thing that can consume licenses is by adding more data into Splunk. By average licenses used, can you give me an example of what your looking for? Do you want average license amount consumed per month? Why get averages when you have the total amount per day?

0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 07:48 AM

Sorry got mixed up

Total License Usage over 60 days
based off splunk servers, - extracted field splunk_server

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:09 AM

I'm still not clear about what you're looking for

Here's a query which will find the average of 60 days worth of data 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | stats avg(volume)
0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 08:13 AM

sorry about the confusion-
some how i am still seeing only last 30 days worth of data only.

Also I want to add to this search the

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:34 AM

Add what to the search?

0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 08:37 AM

add Host info to the search aswell

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-19-2016 08:40 AM

Here's licenses usage by host 

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx  | search pool="rtg_pool" | timechart span=1d sum(b) AS volumeB by h fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-60d@d  | search pool="rtg_pool" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
Reply
Solved! Jump to solution

splgeek
Explorer
‎10-19-2016 01:20 PM

thank you for your time and effort

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...