Splunk License Usage message

athorat · ‎09-23-2015

We have the license to consume 500 GB or DATA . Yesterday we consumed around 103 gb of Data.

And today we see a message in Splunk: Search peer p01apl302.XXX.XX.com has the following message: License warning issued within past 24 hours (Please refer to the License Usage Report view on license master p01apl304.XXX.XX.com to find out more). Wed Sep 23 00:00:00 2015 MST

On the cluster master : Licensing » License Usage Reporting
Today's License Usage (GB) : 26 GB
Today's Percentage of Daily License Quota Used per Pool : Used %42GB
Pool Warning Information: Current Quota in GB shows 48

Its confusing as to why we are getting the license usage message and what is the actual usage

If I run the query
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |timechart span=d sum(GB)
It shows the usage as 54GB for today.

Any inputs appreciated.

MuS · ‎09-24-2015

Hi athorat,

Splunk license model is based on the license usage within 24 hours of the day; therefore Splunk will only keep track of the license usage for the current day.
You can get some historical data from metrics.log but be aware that it will not be 100% precise, because By default, metrics.log reports the top 10 results for each type. see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/Troubleshooting/Aboutmetricslog and it's only available for the last 30 days, because the default retention of index=_internal is 30 days.

You can setup above search http://answers.splunk.com/comments/310738/view.html as saved search and summary index the results to keep it for more than 30 days.

Hope this helps ...

cheers, MuS

somesoni2 · ‎09-23-2015

Go to licensing page in your license master server, and check the usage there (just below the "Splunk Enterprise stack"). THis should give you current capacity and current usage by pool (if you've created multiple pool, all will be listed here, otherwise default "auto_generated_pool_enterprise").

http://YourLicenseServer:webPort/en-US/manager/system/licensing

MuS · ‎09-23-2015

In addition you can run this little search on your License Master:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used_in_bytes max(stack_quota) as License_in_bytes | eval used_in_MB=round(used_in_bytes/1024/1024,3) | eval License_in_MB=round(License_in_bytes/1024/1024,3) | eval used_in_GB=round(used_in_bytes/1024/1024/1024,3) | eval License_in_GB=round(License_in_bytes/1024/1024/1024,3) | table License_in_bytes used_in_bytes License_in_MB used_in_MB License_in_GB used_in_GB

Reports back a little table of the License usage as in bytes, MB and GB

cheers, MuS

athorat · ‎09-24-2015

@MuS
I see that we have 500 GB of license and the current usage is 148 GB for TODAY, assuming this query runs only for the day.
I am not able to see the usage for any other dates.
Is there a way to run this query from the search head and for any specific dates.

Thanks.

Splunk License Usage message

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes