Solved: where can I find when I added or deleted license?

wesplunker · ‎01-10-2018

I have some license，and maybe I added and deleted one of them some months ago。Now,I forget when I deleted it.How can I find out? I search index=_internal,but not found

micahkemp · ‎01-10-2018

I'm going to take a potentially invalid leap here and assume what you really need to do is recover your license, as opposed to determine if/when it was deleted, which only seems valuable to play the blame game to yourself or others.

Log into your Splunk Support Portal and and go to My Licenses. There you should be able to find all your current (and even expired) licenses. If they are not under your name either have the person that does have them log in, or call your Splunk rep and have them add you to the licenses.

And to answer the actual question asked, with the licenses being gone for multiple months, I can't think of any way to determine when they were deleted unless you have extended your _internal index to retain events longer than the default 30 days.

View solution in original post

micahkemp · ‎01-10-2018

I'm going to take a potentially invalid leap here and assume what you really need to do is recover your license, as opposed to determine if/when it was deleted, which only seems valuable to play the blame game to yourself or others.

Log into your Splunk Support Portal and and go to My Licenses. There you should be able to find all your current (and even expired) licenses. If they are not under your name either have the person that does have them log in, or call your Splunk rep and have them add you to the licenses.

And to answer the actual question asked, with the licenses being gone for multiple months, I can't think of any way to determine when they were deleted unless you have extended your _internal index to retain events longer than the default 30 days.

wesplunker · ‎01-10-2018

Thank you !
The reason to determine when they were deleted is I don't believe I deleted it by myself.I want to prove it to my manager.
Now I see,I will extend _internal index to retain events longer than the default 30 days.how can I do that?

micahkemp · ‎01-11-2018

From the indexes.conf spec:

frozenTimePeriodInSecs = <nonnegative integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
  frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
  before it will roll. Then, the DB will be frozen the next time splunkd
  checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

If you look at the output of:

splunk btool outputs list _internal

You will see that it is set to 30 days. You can adjust that via the normal configuration means of making a change in a local/indexes.conf.

wesplunker · ‎01-10-2018

I want to know the license history

micahkemp · ‎01-10-2018

The license report may give you the answer you're looking for.

/en-US/manager/search/licenseusage

Check the 30 day tab, it shows stack size, which would change if/when you removed/added a license.

wesplunker · ‎01-10-2018

however ，it's a few months ago.And，it's the App-Exchange license,so there is not report about it

micahkemp · ‎01-10-2018

What do you mean "App-Exchange license"?

wesplunker · ‎01-10-2018

the license for exchange APP,like the ES app。

where can I find when I added or deleted license?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases