How do I find the license capacity of Splunk?
I am using Splunk Cloud and I want to know my license capacity because I am not sure if it is 20GB or 40GB per day.
Looks like to me they are setting the license stack to near unlimited in Splunk Cloud and possibly that's why the stack size does not show up on the monitor console dashboards. In my case, it appears that our license stack is set to 16 Exabytes which is well in excess of our contract. My guess is that the sales reps soft enforce license usage in Splunk Cloud and just phone or email you if you go over the quotas consistently.
So I am thinking you can only review your contract for Splunk Cloud or get your license size from your sales rep.
I would be curious to know if anyone else sees 16 EB for their Splunk Cloud license stack.
Query which should be run over a time period of 24 hours or more to show both historical License Stack(stacksz) and License Use in bytes(b).
You can adjust the last table command to output in Bytes, KB, MB, GB, TB, PB, EB, etc. to your liking.
index=_internal sourcetype=splunkd source=*license_usage.log type=RolloverSummary stacksz>1 poolsz>1 b>0
| bucket _time span=1d
| stats values(stacksz) as stacksz_Bytes sum(b) as usage_Bytes by _time component type stack
| sort -_time
| eval stacksz_KB=round(stacksz_Bytes/1024)
| eval stacksz_MB=round(stacksz_Bytes/1024/1024)
| eval stacksz_GB=round(stacksz_Bytes/1024/1024/1024,2)
| eval stacksz_TB=round(stacksz_Bytes/1024/1024/1024/1024,2)
| eval stacksz_PB=round(stacksz_Bytes/1024/1024/1024/1024/1024,2)
| eval stacksz_EB=round(stacksz_Bytes/1024/1024/1024/1024/1024/1024,2)
| eval usage_KB=round(usage_Bytes/1024,2)
| eval usage_MB=round(usage_Bytes/1024/1024,2)
| eval usage_GB=round(usage_Bytes/1024/1024/1024,2)
| eval usage_TB=round(usage_Bytes/1024/1024/1024/1024,2)
| eval usage_PB=round(usage_Bytes/1024/1024/1024/1024/1024,2)
| eval usage_EB=round(usage_Bytes/1024/1024/1024/1024/1024/1024,2)
| eval usage_Percent=round((usage_Bytes/stacksz_Bytes)*100,2)
| eval remaining_Bytes=stacksz_Bytes-usage_Bytes
| eval remaining_KB=stacksz_KB-usage_KB
| eval remaining_MB=stacksz_MB-usage_MB
| eval remaining_GB=stacksz_GB-usage_GB
| eval remaining_TB=stacksz_TB-usage_TB
| eval remaining_PB=stacksz_PB-usage_PB
| eval remaining_EB=stacksz_EB-usage_EB
| eval remaining_Percent=round(100-usage_Percent,2)
| table _time component type stack usage_Percent remaining_Percent stacksz_Bytes usage_Bytes remaining_Bytes stacksz_KB usage_KB remaining_KB stacksz_MB usage_MB remaining_MB stacksz_GB usage_GB remaining_GB stacksz_TB usage_TB remaining_TB stacksz_PB usage_PB remaining_PB stacksz_EB usage_EB remaining_EB
16 EB - check
hi adtetech,
Also, you can find on SplunkBase the Splunk License Usage Apps.
In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
for more informations, follow this link:
https://answers.splunk.com/answers/4897/how-to-determine-daily-license-usage-in-gb.html
this is not updated since 2010, support version 5 of splunk enterprise.
Try something like this
index=_internal source=*license_usage.log type=RolloverSummary | stats values(stacksz) as LicenseCapacity by slave | eval LicenseCapacity=LicenseCapacity/1024/1024/1024 | stats sum(LicenseCapacity) as TotalLicenseCapacity