- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- How to get the License usage by host - (with a lic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deployment Setup:
License Master Server -1
********************
Splunk Indexer - 2
Splunk Search head - 1
Heavy Forwarder - 2
I have pointed all the instance to my license master server.
currently , I do calculate the daily license usage of splunk by Indexers , by running the below query in License Master Server :
index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f
Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.
query 1:
I would need to monitor the license usage by hosts. where should I run the query ?
Every splunk instance has the license_usage.log file, does all the files captures the usage ?
Do I need to run the below query in each indexers and the total sum ? What is the right way ?
License usage by host :
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi splunker12er,
this is how I would do it:
- forward all Splunk instances internal logs to the two indexers, see docs http://docs.splunk.com/Documentation/Splunk/6.2.1/DistSearch/Forwardsearchheaddata
- setup / run your query on the search head, but not against the metrics.log (this only tracks the top ten usages per type http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/Aboutmetricslog)
- Use as well the
License Usageview on the license Master to get an overviewhttp[s]://splunk-url:splunkport/en-GB/manager/search/licenseusage#historyTab
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.
What are the index/source/sourcetype of those events from the SH/HFWD ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi splunker12er,
this is how I would do it:
- forward all Splunk instances internal logs to the two indexers, see docs http://docs.splunk.com/Documentation/Splunk/6.2.1/DistSearch/Forwardsearchheaddata
- setup / run your query on the search head, but not against the metrics.log (this only tracks the top ten usages per type http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/Aboutmetricslog)
- Use as well the
License Usageview on the license Master to get an overviewhttp[s]://splunk-url:splunkport/en-GB/manager/search/licenseusage#historyTab
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay. If I forward all the splunk instances _internal logs to my 2 indexers.,
- First of all when I forward _internal logs of splunk instances to indexer - they will get indexed in indexer which consumes license volume
- To which index I should forward ? (_internal ?) 3a. If I should not use license query against metrics.log on the search head ., what is the source that I should use to run the query ? 3b. what is the concept in moving the other splunk instances log to central indexers ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to answer this shortly...
- no, they will not consume license volume
- your
_internalevents will be forwarded by default to index_internal3a. Use the license_usage.logindex=_internal source="*license_usage.log"or change the setting for metrics.log ( http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf ) 3b. This way you can search all the internal logs from the search head for troubleshooting reasons or any other use case you need to search any of the others Splunk instances logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellant..Thank you MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, please mark this as answered if it answers your question...you're not only helping others by marking this as answered, but you will also get some karma as well 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very much accpeted ...;)
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
