Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get daily license usage from remote search head

dford343
Explorer
‎07-30-2018 08:50 AM

Is there a way to view daily license usage on a remote search head, instead of going to the deployment server/license manager? The below search is on the deployment server, but cannot run on the remote search head.

| rest splunk_server=[Server Address] /services/licenser/pools 
| rename title AS Pool 
| search 
    [ rest splunk_server=[Server Address] /services/licenser/groups 
    | search is_active=1 
    | eval stack_id=stack_ids 
    | fields stack_id] 
| join type=outer stack_id 
    [ rest splunk_server=[Server Address] /services/licenser/stacks 
    | eval stack_id=title 
    | eval stack_quota=quota 
    | fields stack_id stack_quota] 
| stats sum(used_bytes) as used max(stack_quota) as total 
| eval usedGB=round(used/1024/1024/1024,3) 
| eval totalGB=round(total/1024/1024/1024,3) 
| eval gauge_base=0 
| eval gauge_danger=totalGB*0.8 
| eval gauge_top=totalGB+0.001 
| gauge usedGB gauge_base gauge_danger totalGB gauge_top
Reply

pruthvikrishnap
Contributor
‎07-30-2018 11:40 AM

I am not sure if we can get that information from a remote search-head, this dashboard help to have a quick overview of the license usage and daily quota etc..
https://splunkbase.splunk.com/app/3178/

0 Karma
Reply

adonio
Ultra Champion
‎07-30-2018 06:04 PM

when you say a remote search head you mean you want to see license status from another splunk environment? is the remote search head cant see the indexers that under a certain license master?
can you elaborate a little on your use case?

0 Karma
Reply

dford343
Explorer
‎07-31-2018 05:04 AM

When I say a remote search head, I mean I have a deployment server, 2 search heads, a 3 index cluster, and 2 heavy forwarders. The search head can view all data being indexed in the cluster, but can't connect to the deployment server address.

What I want to do is view daily license usage (in real time) and set up alerts when we are close to hitting the license usage for the day.

0 Karma
Reply

adonio
Ultra Champion
‎07-31-2018 05:18 AM

hmmm, i guess i am confused now.
if your search heads can see the indexers, and your license master forwards its logs to the indexers, you can query the _internal index and report / alert on the usage
try this query as a base and modify as you see fits:

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage
| stats sum(b) AS Bytes by st
| eval GB = Bytes/1024/1024/1024
| table st GB
| sort -GB
| addcoltotals
Reply

dford343
Explorer
‎07-31-2018 05:28 AM

So I have done a similar search before querying against the license_usage.log, but what I have found is that the numbers are completely different on the deployment server. Your query (with time set for "Today") has the total GB as 29.706. The default gauge on the deployment server shows only 43.171 GB.

Guess I should have clarified that issue. Sorry about that.

0 Karma
Reply

adonio
Ultra Champion
‎07-31-2018 05:33 AM

not sure how the deployment server fits into this ...
if your search heads and license master searches the same indexers, the report supposed to be the same.
make sure to have the earliest=-1d@d latest=@d

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...