Splunk Daily License consumption for a specifc ind...

SplunkExplorer · ‎02-26-2024

Hi Splunkers, I have a doubt about License Consumption.
I'm not here to ask how to calculate daily ingestion and/or license consumption in a Splunk Envrinonment.
Community is full of topic about this and I have my search I use when no Monitor Console is configured.
The point is the following: on a LM, I have 3 different environment, each one with a set of SH, indexers and so on. The only "point of contact" is the LM itself, so, in a schematic way:

Env A (SHs, IDX cluster, others hosts) ---> LM "X"
Env B (SHs, IDX cluster, others hosts) ---> LM "X"
Env C (SHs, IDX cluster, others hosts) ---> LM "X"

Question is: what about if I have to search daily license consumption for only one of above ENVs? For example, I want calculate license consumption only for Env A.
First thing I thought: Ok, I have two options:

Use MC
Use my search on _internal logs, based on license consumption data, and specify, as idx parameter, only indexes subset for desiderd ENV.

PROBLEM: ENVs have not totally different indexes. For example, index "linux_audit" is set on all 3 env. So, if I try to differentiate cluster based on their own indexes, I'm not able to do this.

PickleRick · ‎02-26-2024

You can either search on each environment separately (which I assume you don't wanna do) or use the LM as a "central search head" from which you'll be able to spawn searches to each of those environments. Then you can just search specific peers.

https://docs.splunk.com/Documentation/Splunk/9.2.0/Search/Searchdistributedpeers

Splunk Daily License consumption for a specifc indexers cluster

administration

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?