Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Daily License consumption for a specifc indexers cluster

SplunkExplorer
Contributor
‎02-26-2024 08:59 AM

Hi Splunkers, I have a doubt about License Consumption.
I'm not here to ask how to calculate daily ingestion and/or license consumption in a Splunk Envrinonment.
Community is full of topic about this and I have my search I use when no Monitor Console is configured.
The point is the following: on a LM, I have 3 different environment, each one with a set of SH, indexers and so on. The only "point of contact" is the LM itself, so, in a schematic way:

Env A (SHs, IDX cluster, others hosts) ---> LM "X"
Env B (SHs, IDX cluster, others hosts) ---> LM "X"
Env C (SHs, IDX cluster, others hosts) ---> LM "X"

Question is: what about if I have to search daily license consumption for only one of above ENVs? For example, I want calculate license consumption only for Env A.
First thing I thought: Ok, I have two options:

  • Use MC
  • Use my search on _internal logs, based on license consumption data, and specify, as idx parameter, only indexes subset for desiderd ENV.

PROBLEM: ENVs have not totally different indexes. For example, index "linux_audit" is set on all 3 env. So, if I try to differentiate cluster based on their own indexes, I'm not able to do this.

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 03:09 PM

You can either search on each environment separately (which I assume you don't wanna do) or use the LM as a "central search head" from which you'll be able to spawn searches to each of those environments. Then you can just search specific peers.

https://docs.splunk.com/Documentation/Splunk/9.2.0/Search/Searchdistributedpeers

Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...