Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About lux209
lux209
Explorer
Member since:
07-30-2020
09-18-2025
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 07-30-2020 |
Activity Feed
- Posted Re: Deployment server https - no client certificate on Security. 07-11-2025 03:51 AM
- Karma Re: Deployment server https - no client certificate for livehybrid. 07-11-2025 03:49 AM
- Posted Deployment server https - no client certificate on Security. 07-11-2025 02:28 AM
- Karma Re: How do you calculate the log size per day for a specific sourcetype or source? for richgalloway. 04-08-2025 01:34 AM
- Karma Re: Get License limit for livehybrid. 04-03-2025 12:29 AM
- Karma Re: Get License limit for isoutamo. 04-03-2025 12:29 AM
- Posted Re: Get License limit on Monitoring Splunk. 04-01-2025 06:13 AM
- Karma Re: Get License limit for livehybrid. 03-31-2025 11:58 PM
- Posted Re: Get License limit on Monitoring Splunk. 03-31-2025 11:57 PM
- Karma Re: Get License limit for livehybrid. 03-31-2025 06:51 AM
- Posted Re: Get License limit on Monitoring Splunk. 03-31-2025 06:50 AM
- Posted Get License limit on Monitoring Splunk. 03-31-2025 02:01 AM
- Posted Re: How do you calculate the log size per day for a specific sourcetype or source? on Reporting. 11-30-2022 05:55 AM
- Posted TA Windows upgrade on Installation. 07-30-2020 02:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-11-2025
02:28 AM
Hello, I'm looking to secure the connection to our deployment server using HTTPS following this doc: https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/Securingyourdeploymentserverandclients I'm wondering if having client certificate is mandatory or if it would be possible to only install a certificate on the DS server itself ? I don't need the to have mTLS, my goal is only to have an encrypted connection between the server and the clients. Thanks for you help Lucas
... View more
Labels
- Labels:
-
SSL
04-01-2025
06:13 AM
Hello, Interesting, I had to adapt a bit the limit query, the source type did not exist on my side: index IN (_cmc_summary, summary) ingest_license=* | table _time ingest_license I tried the search but it is not working, I either have a value in the total_license_limit_gb column or in the Daily License Usage but not both at the same time. So the last Where cannot do the test. Here is the result classified by the daily usage: And classified by the Limit: I tried to do the search differently and also use poolsz but without luck. Any idea ? Thank you again for you great help
... View more
03-31-2025
11:57 PM
Hi livehybrid, Yes I did change the host=macdev in my test, and you are correct I forgot to mention that I'm testing this in Splunk Cloud, for the on prem infra I'm just looking for the default license alert messages in the internal logs as it already contain the information when the we exceed the license, but this doesn't work on the cloud. I tested your query, it is working perfectly and it is much faster than my initial query. Would it be complicated to dynamically get the license limit information on the cloud ? I see that the CMC has it with `sim_licensing_limit` but it is not usable outside the CMC.. Thanks !
... View more
03-31-2025
06:50 AM
Hi livehybrid, Thanks you for your help and the information ! I did some test and it is looking promising, I just have an issue with the poolsz field, the value I get for total_license_limit_gb or "Daily License Limit" is 18446744073709551615 and my license limit is 300GB. Do I need to change someting to get the 300GB limit ? I guess this is something around ", sum(b) as total_usage_bytes by _time" to change but I'm not sure what ? Thank you !
... View more
03-31-2025
02:01 AM
Hello, I'm building a search to get alerted when we go over the license. I have a search that is working well to get the license usage and get alert when it goes over the 300GB license: index=_internal source=*license_usage.log type=Usage pool=* | eval _time=strftime(_time,"%m-%d-%y") | stats sum(b) as ub by _time | eval ub=round(ub/1024/1024/1024,3) | eval _time=strptime(_time,"%m-%d-%y") | sort _time | eval _time=strftime(_time,"%m-%d-%y") | rename _time as Date ub as "Daily License Quota Used" | where 'Daily License Quota Used' > 300 But here as you can see I did set the 300GB limit manually in the search. Is there a way to get this info from Splunk directly ? I see that in the CMC it use `sim_licensing_limit` to get the info, but this doesn't work when doing a search outside the CMC. Thanks ! Lucas
... View more
Labels
- Labels:
-
license usage
11-30-2022
05:55 AM
Hello, I know it is an very old post but it is close to what I'm looking for. I'm trying to extract the log volume per source type, the below query is working fine but it groups all "small" source types in an "other" column. I can't find how to show all sourcetypes in the result ? index=_internal (host=*.*splunk*.* NOT host=sh*.*splunk*.*) source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | timechart span=1d eval(round((sum(b)/pow(2,30)),3)) AS Volume by st | append [| search (index=summary source="splunk-entitlements") | bin _time span=1d | stats max(ingest_license) as license by _time] | stats values(*) as * by _time | rename license as "license limit" | fields - volume
... View more
07-30-2020
02:32 AM
Hi All, I'm quite new to Splunk and I have a question regarding the upgrade for the TA Widows. Our infra consist of a SH cluster, index cluster, and universal forwarders. At the moment the SH cluster has the TA version 5.0.1, indexers and universal forwarders have an old 4.8.4 version all seems to work just fine. I now need to upgrade the TA to the version 6 and here comes my questions. - Would it be possible to still keep the old version and config on indexers and forwarders ? From what I see most changes in v6 is the "merge" of the TA windows DNS and AD, for those change we need to copy indexes.conf and inputs.conf data from the DNS and AD app to the new TA Windows app. So if I'm correct if the indexer and forwarder still have the old apps the .conf file in those old app will still work and forward the logs right ? Am I missing other important changes that would need update or re-config ? - if I can keep the old version will it work if I upgrade the indexer to Splunk 8 ? the version 4.8.4 is clearly not officially supported on Splunk 8 but as the indexer only use the Inputs.conf I suppose it will work right ? And the same for the universal forwarders ? As I said I'm new to splunk so I maybe missed stuff... I want to keep those old version as I have a lot of stuff to do for the splunk 8 upgrade already so I'm trying to save time where I can and I will take care of this after the full upgrade to 8. Thanks !
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-18-2025
06:12 AM
|
