How to View License Usage from Search Head?

TJT · ‎08-28-2023

Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3.

I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from the manager node. The file seems to forward however the contents are replaced with a message stating the information is only viewable from the manager node. Another possibility is license_usage.log is generated by default on both the indexer and search head so it only looks as though the log is being forwarded.

Due to the way our Splunk deployment is distributed, I need to have the web interface disabled on the manager node so simply logging into the manager node web interface is not an option. To reiterate the question above, is there a way to view licensing information (either through search or monitoring console) from the Splunk search head?

spodda01da · ‎09-03-2023

You can use the following on Search Head:

index=_internal source=*license_usage.log type=Usage pool=* | eval _time=strftime(_time,"%m-%d-%y") | stats sum(b) as ub by _time | eval ub=round(ub/1024/1024/1024,3) | eval _time=strptime(_time,"%m-%d-%y") | sort _time | eval _time=strftime(_time,"%m-%d-%y") | rename _time as Date ub as "Daily License Quota Used"

You can define the "Date Range" to get daily usage.

How to View License Usage from Search Head?

configuration

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!