All Apps and Add-ons

Query about Indexing License Count

dishasaxena
Path Finder

If Splunk starts indexing any big size file at the end of a calendar day and splunk completes its indexing after the start of another day, then how will its license usage count gets calculated? I mean to say, if it will be counted in the current calendar day or will it be counted in next calendar day. Assuming there is no license violation on either of the day.

Regards,
Disha

0 Karma
1 Solution

dishasaxena
Path Finder

We had an discussion with Splunk Team, we raised this query with them and as per their response, total volume will be divided into both days license count depending upon their indexing volume that has been indexed per day.

In other words, the volume which has been indexed before till 11:59PM today will be counted in today's license, rest of the volume of that file will be get calculated in licnse count of next day.
My query had not any dependency on Licensing server. It has its own defined role.

Thanks Splunk Team, I am posting this answer on behalf of you.

Regards,
Disha

View solution in original post

dishasaxena
Path Finder

We had an discussion with Splunk Team, we raised this query with them and as per their response, total volume will be divided into both days license count depending upon their indexing volume that has been indexed per day.

In other words, the volume which has been indexed before till 11:59PM today will be counted in today's license, rest of the volume of that file will be get calculated in licnse count of next day.
My query had not any dependency on Licensing server. It has its own defined role.

Thanks Splunk Team, I am posting this answer on behalf of you.

Regards,
Disha

lpolo
Motivator

The license count is per day. You can verify this with the following splunk query:

splunk_server=your_license_server index=_internal source="*license_usage.*" AND  st=your_source_type | eval GB=b/1024/1024/1024  | bucket _time span=1d| stats sum(GB) as GB by _time st

Assuming that your splunk license server name is "a.com" and the source type is "tcp-raw" the query will be:

splunk_server=a.com index=_internal source="*license_usage.*" AND st=tcp-raw | eval GB=b/1024/1024/1024  | bucket _time span=1d| stats sum(GB) as GB by _time st

Select the dates you need.

Thanks,
Lp

dishasaxena
Path Finder

Hi Ipolo,
Did you get any idea?

Regards,
Disha

0 Karma

dishasaxena
Path Finder

Hi Ipolo,

Thanks for your answer, sincere apologies for replying so late.
I would like to give an example to explain my query, if I am indexing a file of 4GB at the end of the day, then if 1GB file gets indexed at same day before 12:00AM of next day and rest of the 3GB file completes its indexing after the start of the next day, then how license usage will be calculated? Will it be counted in previous day or in the license usage count of next day, or will it be divided as per the size?
Please suggest.

Regards,
Disha

0 Karma

lpolo
Motivator

The license server keeps track of the license usage of each indexer. Therefore, the query will do its job either way.

0 Karma

gfuente
Motivator

Hello, I think it will work if your license server is also an indexer. If not it won work

0 Karma

lpolo
Motivator

Your observation is valid. However, the query is correct. If the query is executed from a master head server, the query will work. If the query is executed in the license server perse the query will work too.

0 Karma

gfuente
Motivator

I think there is a mistake in your search, the first part should read host=a.com instead of splunk_server=a.com

Unless is a standalone server

Regards

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...