Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Query for license utilization

kjain041523
New Member
a month ago

Hi,

 

I need a splunk query to find the license utilization per host per day in last 4 months, to know which host/server is most noisy and utilizing most consumption in splunk.

Labels (2)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
4 weeks ago

Hi @kjain041523 may i know if the issue is resolved or do you have further queries?

if its resolved, could you pls accept it as solution, thanks 

 

 

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
----------------------------------------------------------------------------------------------

0 Karma
Reply

kknairr
Contributor
a month ago

@kjain041523 As mentioned, the easiest way to use the Monitoring Console's built in License Usage report under Settings > Licensing. Keep in mind that only the License Manager and Monitoring Console have access to the license_usage.log information from where we are pulling the usage information.

You can query _internal index alternatively from your License Manager. Use the below references to understand license_usage.log to build your custom query if required.

Please note that the _internal index usually has shorter retention (often 30 days by default), so you may not have four months of data unless retention has been increased in your indexes.conf file.

Ref: Create a report based on licence_usage.log | Splunk

What Splunk software logs about itself | Splunk Enterprise (last updated 2025-07-04T12:39:10.038Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @kjain041523 ,

the search you're searching is available in [Settings > Licensing > Usage Report >  Previous 6 days > Split by host] or in the Monitoring Console at [Indexing > License usage > Historic License usage > Split by host ].

This report is for 30 days but you can easily modify it for 120 days:

index=_internal 
    [ rest splunk_server=local /services/server/info 
    | return host] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by h fixedrange=false 
| join type=outer _time 
    [ search index=_internal 
        [ rest splunk_server=local /services/server/info 
        | return host] source=*license_usage.log* type="RolloverSummary" earliest=-120d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | dedup _time stack 
    | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

The problem could be another: are you sure that the retention of your _internal index is more than 4 months?

Usually it's less, so you could not have the logs dor this search!

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...