Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of license usage warnings

Knust
Explorer
‎11-22-2023 04:06 AM

Hi, I want to find out how many license warnings there is in the current 60 day rolling window. Why is there not an easy way to find this? Surely this should be included in the license usage report?

regards, Knut

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-27-2023 01:05 AM

There is also some summary information on _telemetry index. 

index=_telemetry licenseGroup=Enterprise component=LicenseUsageSummary

There is information for daily basis.

Another option is to extend retention time for _internal. This is the only way if you wan to see that on 60 day and select different dimensions for log usage. 

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2023 06:39 AM

Hi

you could start with license usage GUI and open that search and then modify it's earliest attribute.

At least I have this information on Settings -> License -> Usage Report -> Previous 60 days. 

Here is SPL from there

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-60d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-60d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

You must run this on node where you have your license or update that `set_local_host` part correctly. 

It seems that at least 9.1.2 this is broken. Dashboard said that it is from last 60d, but in SPL it was only last 30d!

r. Ismo

Reply
Solved! Jump to solution

Knust
Explorer
‎11-27-2023 12:34 AM

Thank you for the answer. I have indeed already tried the option you proposed, but believe it will not work because the default retention of the internal logs does not go past 30 days, I believe. Surely Splunk has another way to keep track of this though?

Regards, Knut

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-27-2023 01:05 AM

There is also some summary information on _telemetry index. 

index=_telemetry licenseGroup=Enterprise component=LicenseUsageSummary

There is information for daily basis.

Another option is to extend retention time for _internal. This is the only way if you wan to see that on 60 day and select different dimensions for log usage. 

Reply
Solved! Jump to solution

Knust
Explorer
‎11-27-2023 06:04 AM

Yes, I think changing the retention to 60 days, or maybe even longer is the best solution for this. Lets hope they manage to fix the "Past 60 day" dashboard in the future too, for convenience.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...