Splunk Enterprise Security

Get daily license usage from remote search head

dford343
Explorer

Is there a way to view daily license usage on a remote search head, instead of going to the deployment server/license manager? The below search is on the deployment server, but cannot run on the remote search head.

| rest splunk_server=[Server Address] /services/licenser/pools 
| rename title AS Pool 
| search 
    [ rest splunk_server=[Server Address] /services/licenser/groups 
    | search is_active=1 
    | eval stack_id=stack_ids 
    | fields stack_id] 
| join type=outer stack_id 
    [ rest splunk_server=[Server Address] /services/licenser/stacks 
    | eval stack_id=title 
    | eval stack_quota=quota 
    | fields stack_id stack_quota] 
| stats sum(used_bytes) as used max(stack_quota) as total 
| eval usedGB=round(used/1024/1024/1024,3) 
| eval totalGB=round(total/1024/1024/1024,3) 
| eval gauge_base=0 
| eval gauge_danger=totalGB*0.8 
| eval gauge_top=totalGB+0.001 
| gauge usedGB gauge_base gauge_danger totalGB gauge_top

pruthvikrishnap
Contributor

I am not sure if we can get that information from a remote search-head, this dashboard help to have a quick overview of the license usage and daily quota etc..
https://splunkbase.splunk.com/app/3178/

0 Karma

adonio
Ultra Champion

when you say a remote search head you mean you want to see license status from another splunk environment? is the remote search head cant see the indexers that under a certain license master?
can you elaborate a little on your use case?

0 Karma

dford343
Explorer

When I say a remote search head, I mean I have a deployment server, 2 search heads, a 3 index cluster, and 2 heavy forwarders. The search head can view all data being indexed in the cluster, but can't connect to the deployment server address.

What I want to do is view daily license usage (in real time) and set up alerts when we are close to hitting the license usage for the day.

0 Karma

adonio
Ultra Champion

hmmm, i guess i am confused now.
if your search heads can see the indexers, and your license master forwards its logs to the indexers, you can query the _internal index and report / alert on the usage
try this query as a base and modify as you see fits:

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage
| stats sum(b) AS Bytes by st
| eval GB = Bytes/1024/1024/1024
| table st GB
| sort -GB
| addcoltotals

dford343
Explorer

So I have done a similar search before querying against the license_usage.log, but what I have found is that the numbers are completely different on the deployment server. Your query (with time set for "Today") has the total GB as 29.706. The default gauge on the deployment server shows only 43.171 GB.

Guess I should have clarified that issue. Sorry about that.

0 Karma

adonio
Ultra Champion

not sure how the deployment server fits into this ...
if your search heads and license master searches the same indexers, the report supposed to be the same.
make sure to have the earliest=-1d@d latest=@d

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...