Is there a way to view daily license usage on a remote search head, instead of going to the deployment server/license manager? The below search is on the deployment server, but cannot run on the remote search head.
| rest splunk_server=[Server Address] /services/licenser/pools | rename title AS Pool | search [ rest splunk_server=[Server Address] /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [ rest splunk_server=[Server Address] /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top
when you say a remote search head you mean you want to see license status from another splunk environment? is the remote search head cant see the indexers that under a certain license master?
can you elaborate a little on your use case?
When I say a remote search head, I mean I have a deployment server, 2 search heads, a 3 index cluster, and 2 heavy forwarders. The search head can view all data being indexed in the cluster, but can't connect to the deployment server address.
What I want to do is view daily license usage (in real time) and set up alerts when we are close to hitting the license usage for the day.
hmmm, i guess i am confused now.
if your search heads can see the indexers, and your license master forwards its logs to the indexers, you can query the _internal index and report / alert on the usage
try this query as a base and modify as you see fits:
earliest=-1d@d latest=@d index=_internal source=*license_usage.log* type=Usage | stats sum(b) AS Bytes by st | eval GB = Bytes/1024/1024/1024 | table st GB | sort -GB | addcoltotals
So I have done a similar search before querying against the license_usage.log, but what I have found is that the numbers are completely different on the deployment server. Your query (with time set for "Today") has the total GB as 29.706. The default gauge on the deployment server shows only 43.171 GB.
Guess I should have clarified that issue. Sorry about that.
not sure how the deployment server fits into this ...
if your search heads and license master searches the same indexers, the report supposed to be the same.
make sure to have the