Splunk Search

How to create a timechart on license usage to show the max usage and the individual usage for each of our Splunk environments?

prakash007
Builder

I have been trying to create a timechart on license usage. I did try this search below..

 index=_internal source=*license_usage.log* type=Usage NOT idx=sos| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by idx |eval Test=(uat1+uat2+uat3) | rename main As Prod | eval TotalLicenseConsumption=(Test+Prod) | fields - default uat1 uat2 uat3 

Looking for a chart with below requirement. Any help would be appreciated.

1.to display the max license(200GB in my case) in the bar graph
2.show the individual usage line graph (might be a overlay graph on top of 1) for Test, Prod and Total license consumption.

0 Karma

twinspop
Influencer

For the overall license usage and total available, explore the REST API. I used that as the basis for a fill-gauge panel using the below search. The "Danger Zone(tm)" adjusts based on time of day.

| rest splunk_server=local /services/licenser/pools/your_pool | 
fields title effective_quota used_bytes | 
eval used=round(used_bytes/(1024*1024*1024),2) | 
eval h=tonumber(strftime(now(),"%H"))/24 | 
eval danger=round(h*effective_quota/(1024*1024*1024),0) | 
eval max=round(effective_quota/(1024*1024*1024),0) | 
eval base=0 | 
eval gauge_top=max+(max*.01) | 
gauge used base danger max gauge_top
0 Karma

ddrillic
Ultra Champion

alt text

0 Karma

ddrillic
Ultra Champion

I just ran a simplified one on one indexer -

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"
| timechart span=1d sum(eval(round(b/1024/1024/1024,5))) by idx

The report shows mostly NULL - what can it be?

Sorry, the picture is below...

0 Karma

prakash007
Builder

based on the picture you attached it has to show the license usage by individual indexes. run the search for more than a day as the search says span=1d

0 Karma

ddrillic
Ultra Champion

Changed it to span=1w and still I see the NULLs...

0 Karma

prakash007
Builder

can you just try and check the fields if you can find idx as we did a timechart by idx.

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I get the feeling you may be on an older version of Splunk? If so, upgrade to 6.4.0 and take a look at Settings -> Licensing -> 30 day report on your license master.
That has maximum pool size overlays, split by pool, etc.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Splunk 6.3 will do fine. I was just thrown by idx=sos, Splunk on Splunk has been superseded by the distributed management console.

To get the query, open Settings -> Licensing -> 30 Days and click the magnifying glass in the bottom left of the chart.

0 Karma

prakash007
Builder

Martin,

We're on 6.3.1, and we don't have a plan to upgrade to 6.4 shortly. Is there any way i can get a query which report maximum pool size overlays in the chart..?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...