Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Daily License consumption for a specifc indexers cluster

SplunkExplorer
Contributor
‎02-26-2024 08:59 AM

Hi Splunkers, I have a doubt about License Consumption.
I'm not here to ask how to calculate daily ingestion and/or license consumption in a Splunk Envrinonment.
Community is full of topic about this and I have my search I use when no Monitor Console is configured.
The point is the following: on a LM, I have 3 different environment, each one with a set of SH, indexers and so on. The only "point of contact" is the LM itself, so, in a schematic way:

Env A (SHs, IDX cluster, others hosts) ---> LM "X"
Env B (SHs, IDX cluster, others hosts) ---> LM "X"
Env C (SHs, IDX cluster, others hosts) ---> LM "X"

Question is: what about if I have to search daily license consumption for only one of above ENVs? For example, I want calculate license consumption only for Env A.
First thing I thought: Ok, I have two options:

  • Use MC
  • Use my search on _internal logs, based on license consumption data, and specify, as idx parameter, only indexes subset for desiderd ENV.

PROBLEM: ENVs have not totally different indexes. For example, index "linux_audit" is set on all 3 env. So, if I try to differentiate cluster based on their own indexes, I'm not able to do this.

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 03:09 PM

You can either search on each environment separately (which I assume you don't wanna do) or use the LM as a "central search head" from which you'll be able to spawn searches to each of those environments. Then you can just search specific peers.

https://docs.splunk.com/Documentation/Splunk/9.2.0/Search/Searchdistributedpeers

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...