Monitoring Splunk

Splunk License Usage - Month over Month

moesaidi
Path Finder

We upgraded to 6.5.2 recently and was under the impression that 6.5 keeps license usage history over 30 days (unlike the older 6.2, etc..)

When I check out LURV or try to run a few searches, I can still only see 30 days worth of license usage data.

Has anyone been able to identify a way to generate a report of license usage over, say, the past 6 months to try to determine growth projections and whether additional license will need to be purchased over X months etc.. ?

Any help is appreciated.

Tags (1)
0 Karma

woodcock
Esteemed Legend

If the problem is that events are expiring out of _internal or _telemetry while you still need them and you cannot extend the retention, you can create a summary index (which will be TINY) and schedule a saved search to run nightly that dumps a daily summary and you can search from that.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

In addition to this, you can adjust the retention time of the _internal index. This is where the metrics and license usage data is stored. Extend that to 6 /9 / 12 months etc.
Just be aware of the implications this would have on disk space on your indexers.

0 Karma

moesaidi
Path Finder

I wish I could set _index to over 30 days though like you said, that would use up a lot of disk space.
I was under the impression _telemetry would save licensing data and that by default is kept for 6 months.

0 Karma

woodcock
Esteemed Legend
0 Karma

moesaidi
Path Finder

I've tried this before and now again, even after adjusting the 'earliest' value or using timewrap it only shows me the last 30 days.
It seems to use the _internal index which is only retained for 30 days, but I thought 6.5.x and higher was using _telemetry index for licensing which is stored for 6 months.

Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...