Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a timechart on license usage to show the max usage and the individual usage for each of our Splunk environments?

prakash007
Builder
‎04-21-2016 02:17 PM

I have been trying to create a timechart on license usage. I did try this search below..

 index=_internal source=*license_usage.log* type=Usage NOT idx=sos| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by idx |eval Test=(uat1+uat2+uat3) | rename main As Prod | eval TotalLicenseConsumption=(Test+Prod) | fields - default uat1 uat2 uat3

Looking for a chart with below requirement. Any help would be appreciated.

1.to display the max license(200GB in my case) in the bar graph
2.show the individual usage line graph (might be a overlay graph on top of 1) for Test, Prod and Total license consumption.

0 Karma
Reply

twinspop
Influencer
‎04-21-2016 02:55 PM

For the overall license usage and total available, explore the REST API. I used that as the basis for a fill-gauge panel using the below search. The "Danger Zone(tm)" adjusts based on time of day.

| rest splunk_server=local /services/licenser/pools/your_pool | 
fields title effective_quota used_bytes | 
eval used=round(used_bytes/(1024*1024*1024),2) | 
eval h=tonumber(strftime(now(),"%H"))/24 | 
eval danger=round(h*effective_quota/(1024*1024*1024),0) | 
eval max=round(effective_quota/(1024*1024*1024),0) | 
eval base=0 | 
eval gauge_top=max+(max*.01) | 
gauge used base danger max gauge_top
0 Karma
Reply

ddrillic
Ultra Champion
‎04-21-2016 02:46 PM

alt text

Preview file
1 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎04-21-2016 02:45 PM

I just ran a simplified one on one indexer - 

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"
| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by idx

The report shows mostly NULL - what can it be?

Sorry, the picture is below...

0 Karma
Reply

prakash007
Builder
‎04-21-2016 02:53 PM

based on the picture you attached it has to show the license usage by individual indexes. run the search for more than a day as the search says span=1d

0 Karma
Reply

ddrillic
Ultra Champion
‎04-21-2016 03:23 PM

Changed it to span=1w and still I see the NULLs...

0 Karma
Reply

prakash007
Builder
‎04-22-2016 12:27 PM

can you just try and check the fields if you can find idx as we did a timechart by idx.

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2016 02:28 PM

I get the feeling you may be on an older version of Splunk? If so, upgrade to 6.4.0 and take a look at Settings -> Licensing -> 30 day report on your license master.
That has maximum pool size overlays, split by pool, etc.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2016 02:46 PM

Splunk 6.3 will do fine. I was just thrown by idx=sos, Splunk on Splunk has been superseded by the distributed management console.

To get the query, open Settings -> Licensing -> 30 Days and click the magnifying glass in the bottom left of the chart.

0 Karma
Reply

prakash007
Builder
‎04-21-2016 02:37 PM

Martin,

We're on 6.3.1, and we don't have a plan to upgrade to 6.4 shortly. Is there any way i can get a query which report maximum pool size overlays in the chart..?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...