Hi,
I have installed SOS app but am unable to find who is using up our license and why it isn't working for all indexers
Need your help here asap. If you need more details let me know.
Though 13 months older data is getting deleted on regular basis.
Thanks
Surekha
Are you using splunk 6.1 or higher. Consider setting the Splunk management console.
This may give you want you want. http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/ConfiguretheMonitoringConsole
You can view license usage from the license master :
https://127.0.0.1:8000/en-US/manager/search/licenseusage
from here you can split by source, sourcetype, index, host etc..
Have you tried running the Splunk built in report to see what's heavy on your indexers?
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx
Hi,
This query doesn't return me any result. Says No Result Found.
Can you please help me in knowing this frm the server/backend level meaning from the idx servers and going to the licenseusage.log file. Because i can view the log file. Is there anything which i can look for in the license_usage.log file to know who is consuming more.
Thanks
Surekha
splunksurekha -
Are you either running the search on your License Master or are you sure that the license master is forwarding to your indexers? Looking at the license log itself it going to be to be difficult, since it's only reporting in small increments. Something like the search kendrickt gives is what you'll need to show how it adds up.