Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

License Usage by sourcetype in 6.6

rkilen
Explorer
‎12-29-2017 10:35 AM

I just upgraded from 6.5.6 to 6.6.5, and some searches I was doing in my personal dashboard stopped working.

Through 6.5 I've been using some RT searches to watch the top 10 sourcetypes getting indexed over the past hour. These searches are based on some I found in the old Deployment Monitor app, and start by searching "index=_internal source=license_usage.log type=Usage", then breaking down the results so as to create a stacked area chart. One dashboard panel was broken down by ST, the other by host. Using these I could contact one of my users and note that they were sending an unusual amount of events, in case they weren't aware of that.

Now that I'm running 6.6, those searches don't return any results, as the license usage is being tracked in the license_usage_summary.log file, which is forwarded to the _telemetry index, as I learned looking at the searches in the Monitoring Console. I have looked through the MC, but so far haven't found any panels that I can borrow from. In the License Usage choices under Indexing, the only choices I have are either Previous 30 Days or Today. In Previous I can split by ST, but not in Today, so it won't meet my requirements for ST usage anomalies.

Does anyone have a suggestion for how to monitor the highest ST usage over the past hour or so?

0 Karma
Reply

mayurr98
Super Champion
‎01-01-2018 09:17 PM

hey try this:

Just run below search for any custom time select today in timepicker.

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by st fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Let me know if this helps you!

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎12-29-2017 11:47 AM

AFAIK, the licnese_usage.log are still being logged and does allow splitting by sourcetype. Can you try running your index=_internal source=*license_usage.log on your license master instance?

http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/AboutSplunksLicenseUsageReportView#Previous_...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...