- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- License usage by own sourcetype / App
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to qurey from a license host on the _internal index the license usage of specific, individual defined sourcetypes in separate apps. If I run the search on the _internal index i dont see my sourcetypes?
the goal is to have a report based on each own app (use case) and a breakdown to the data source / sourcetype included in the app.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to see the license usage by sourcetype using following query.
index=_internal source=*license_usage.log type=usage | stats sum(b) as usageGB by st | eval usage=round(usage/1024/1024/1024,3) | rename st as sourcetype
Splunk doesn't log license usage based on app name. For that you should generate a lookup table manually with app name to sourcetype mapping and include that in above query to get the app name as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to see the license usage by sourcetype using following query.
index=_internal source=*license_usage.log type=usage | stats sum(b) as usageGB by st | eval usage=round(usage/1024/1024/1024,3) | rename st as sourcetype
Splunk doesn't log license usage based on app name. For that you should generate a lookup table manually with app name to sourcetype mapping and include that in above query to get the app name as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks. yes that works - as long as that individual indexer is not connected to a license master. Afterwards there is no information locally on the license slave to license usage.
is there any possibility to log that information as well on the license slave?
THANKS!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The license master node manages the licensing and all logs are generated on license master. It is recommended thought to forwarder the (internal) logs from license master/search head to indexers, so that you'll have data in one centralized location (indexers). Any specific reason you want to run search from individual license slave/indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the quick reply. yes. the license master is provided by central it department. different business departments (industry) operate their own Splunk instance and need to check during development of apps how much license the use case consumes and what impact adjustments to data sources have on the license volume. the way going always to central IT for reports is a bit complicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see the license usage log, there is field called i which is the indexer GUID. You can create a lookup with GUID and Indexers ( | rest /services/licenser/slaves | table title label | rename title as i label as Indexer ) and add to license usage report to see data for specific indexers.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
