License usage

Siddharthnegi · ‎08-31-2023

How to see daily licensing usage of 1 index in Splunk.

isoutamo · ‎08-31-2023

On MC (monitoring console) is own dashboard to show license usage. There are some selection by which you can see values. Just go

Settings -> Monitoring Console

Indexing -> License Usage -> Historic License Usage

then Split By: By Index

Otherwise if you have all in one server you could check this also from

Settings -> Licensing

Usage Report

Previous 60 days

Split by: index

Those both shows by N (10?) biggest indexes. If you want to check some specific index then just copy that query by opening it from magnify glass.

Then modify it something like

index=_internal idx=<YOUR INDEX NAME>
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false 
| join type=outer _time 
    [ search index=_internal idx=<YOUR INDEX NAME>
        [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | dedup _time stack 
    | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach * 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

r. Ismo

License usage

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

License usage

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)