Splunk Enterprise Security

How to View License Usage from Search Head?

TJT
Loves-to-Learn Lots

Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3.

I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from the manager node. The file seems to forward however the contents are replaced with a message stating the information is only viewable from the manager node. Another possibility is license_usage.log is generated by default on both the indexer and search head so it only looks as though the log is being forwarded. 

Due to the way our Splunk deployment is distributed, I need to have the web interface disabled on the manager node so simply logging into the manager node web interface is not an option. To reiterate the question above, is there a way to view licensing information (either through search or monitoring console) from the Splunk search head?

Labels (1)
0 Karma

spodda01da
Path Finder

You can use the following on Search Head:

index=_internal source=*license_usage.log type=Usage pool=* | eval _time=strftime(_time,"%m-%d-%y") | stats sum(b) as ub by _time | eval ub=round(ub/1024/1024/1024,3) | eval _time=strptime(_time,"%m-%d-%y") | sort _time | eval _time=strftime(_time,"%m-%d-%y") | rename _time as Date ub as "Daily License Quota Used"

You can define the "Date Range" to get daily usage.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...