Splunk Enterprise

how to filter list licenses output

test_splunk15
Explorer

Is there a parameter using which we can filter the licenses from the below command ? I need to filter and check only enterprise license is applied or not during my script (shell script), is there a way I can pass any parameter like stack_id etc? or it should be done via linux commands ?

filter only one pool, check the size and see compare it with the actual size and understand if all the license files are applied properly.
No manual intervention.

can't see anything here : https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/LicenserCLIcommands

splunk list licenser-pools

    auto_generated_pool_enterprise
            description:auto_generated_pool_enterprise
            effective_quota:123456
            is_unlimited:0
            quota:MAX
            slaves:
            stack_id:enterprise
            used_bytes:1234

    auto_generated_pool_forwarder
            description:auto_generated_pool_forwarder
            effective_quota:123456
            is_unlimited:0
            quota:MAX
            slaves:
            stack_id:forwarder
            used_bytes:0

    auto_generated_pool_free
            description:auto_generated_pool_free
            effective_quota:123456
            is_unlimited:0
            quota:MAX
            slaves:
            stack_id:free
            used_bytes:0

 

Labels (1)
0 Karma
1 Solution

PavelP
Motivator

Hello @test_splunk15 ,

you can start with this line and add more logic (like calculate the ratio, or check if a trial license still be used, convert bytes to MB/GB, etc.):

splunk list licenser-pools | awk '/description:auto_generated_pool_enterprise/' RS= |grep -e effective_quota -e used_bytes|sed 's/^\s*//'

awk extracts the text block from description:auto_generated_pool_enterprise to the next blank line, grep filters both lines and sed removes blanks in front of test.

Output:

effective_quota:53687091200
used_bytes:798031

Please let me know if it works

P.S. I wonder if it all can be done with SPL only from the SH for all splunk instances which send internal logs to the index layer

View solution in original post

0 Karma

PavelP
Motivator

Hello @test_splunk15 ,

you can start with this line and add more logic (like calculate the ratio, or check if a trial license still be used, convert bytes to MB/GB, etc.):

splunk list licenser-pools | awk '/description:auto_generated_pool_enterprise/' RS= |grep -e effective_quota -e used_bytes|sed 's/^\s*//'

awk extracts the text block from description:auto_generated_pool_enterprise to the next blank line, grep filters both lines and sed removes blanks in front of test.

Output:

effective_quota:53687091200
used_bytes:798031

Please let me know if it works

P.S. I wonder if it all can be done with SPL only from the SH for all splunk instances which send internal logs to the index layer

0 Karma

test_splunk15
Explorer

Hi @PavelP , thanks for the above.

I've done similar works fine. However I wanted to understand from Splunk filters. Looks like there are nothing.

Thanks again for your inputs.

0 Karma

PavelP
Motivator

Hi @test_splunk15

there are license usage section in the monitoroing console (MC) , here is an example based on the REST (replace host1 with your server):

| rest splunk_server=host1 /services/licenser/pools | rename title AS Pool | search [rest splunk_server=host1 /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=host1 /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top

additionally/alternatively you can parse license_usage.log log directly:

index=_internal source=*license_usage.log
0 Karma

test_splunk15
Explorer

Thanks @PavelP

0 Karma

test_splunk15
Explorer

by the way this result format is specified in any file or its text format by default?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...