Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How is License used by each Splunk instance ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to understand the License used by each instance in Splunk.Can anyone help me in understanding the below points?
- How can we calculate the license used by each splunk instance(indexer,search head etc) because in Monitoring console(MC) i can see the overall license used by a pool.How can i differentiate ?
- What is the source of licenseusage.log file and how it is generated?
- In MC Todays license usage panel query consists of | eval usedGB=round(used/1024/1024/1024,3) What does this mean?
Thanks you in Advance!
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How can we calculate the license used by each splunk instance(indexer,search head etc) because in Monitoring console(MC) i can see the overall license used by a pool.How can i differentiate ?
h = host, st= sourcetype, idx=index, s= source.
I used h in below query because you want to calculate by host.
index=_internal host=<yourlicensemaster> source="*license_usage.log" (h=<yourindexer> OR h=<yoursearchhead>)
| stats sum(b) as bytes by h
| eval GB=round(bytes/1024/1024/1024,2)
| table h GB- What is the source of licenseusage.log file and how it is generated?
All Events that are getting indexed will pass through License meter just before indexing events in indexers. Splunk License master will then extract meta data and write events to license_usage.log.
- In MC Todays license usage panel query consists of | eval usedGB=round(used/1024/1024/1024,3) What does this mean?
license_usage.log will record size in bytes. | eval usedGB=round(used/1024/1024/1024,3) is used convert bytes to GB and rounding decimal to 3 digits.
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Ashwini008
Q - How can we calculate the license used by each splunk instance(indexer,search head etc) because in Monitoring console(MC) i can see the overall license used by a pool.How can i differentiate ?
A - One simple idea. logs/events flow from UF/HF to indexers and stored "in" indexers. Search Heads simply query the events from indexers. so search head does not consume license. only indexers consume license.
on MC, as you are getting per pool license usage, as per solution's search query, you can search for indexer wise license usage. hope this helps in your understandings.
(i have received 250 karma giver badge, how many karma points you have given so far?!?! )
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How can we calculate the license used by each splunk instance(indexer,search head etc) because in Monitoring console(MC) i can see the overall license used by a pool.How can i differentiate ?
h = host, st= sourcetype, idx=index, s= source.
I used h in below query because you want to calculate by host.
index=_internal host=<yourlicensemaster> source="*license_usage.log" (h=<yourindexer> OR h=<yoursearchhead>)
| stats sum(b) as bytes by h
| eval GB=round(bytes/1024/1024/1024,2)
| table h GB- What is the source of licenseusage.log file and how it is generated?
All Events that are getting indexed will pass through License meter just before indexing events in indexers. Splunk License master will then extract meta data and write events to license_usage.log.
- In MC Todays license usage panel query consists of | eval usedGB=round(used/1024/1024/1024,3) What does this mean?
license_usage.log will record size in bytes. | eval usedGB=round(used/1024/1024/1024,3) is used convert bytes to GB and rounding decimal to 3 digits.
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@thambisetty Thank you your answers helped me 🙂 I have few doubts on the Monitoring console License page.
- Todays' s License GB panel is it represents the average the License used by only indexers in day,Since license is metered only for the ingested data?
Is so ,then by using the above query which you gave to calculate the license used by h(in my case i gave indexers as host) the results does not match with the average results present in "Todays' s License GB panel"
- License usage in previous 30 days panel shows the data of only previous 4 days data. Type=rolloversummary.
Is there any query which i can use to calculate the license used by each indexer per day ?Or any document to understand License page in MC?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to check the total license in realtime will be the following query:
index=_internal host="<licensemaster>" source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage
| timechart span=1d sum(b) as bytes
| eval GB=round(bytes/1024/1024/1024,2)
| table _time GBRemember that the RolloverSummary is a component that will be updated at the end of the day ( this will fall next day). so if you want to check the total license in the current day I recommend using the above query.
If this helps, give a like below.
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
