- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Why is there no license usage data available in Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is there no license usage data available in Splunk?
I was trying to find the license usage logs using the query: index=_internal source=license_usage.log but we are not getting any data. Am able to see one-day data as it runs the query using |rest... I check the list monitor command which also showed the license usage logs being monitored by Splunk.
Note: license master + cluster master + Distributed Management Console are all residing in the same instance.
Please advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for last 30 days on the license master In order to receive logs on search head you need to forward internal logs of license master.
index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Also, you can get then same in Settings » Licensing » License Usage Reporting » Previous 30 days
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cluster master internal logs are forwarded to Indexer as best practice?
And in your search try to run it as:
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log"
to get data from license_usage.log
For 30 days license usage
index=_internal source=license_usage.log type=Usage pool= | rename _time as Date | eval Date=strftime(Date, "%m-%d-%y") | stats sum(b) as ub by Date | eval ub=round(ub/1024/1024/1024,3) | rename ub as "Daily License Quota - GB's Used"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
am running the query in search head which is assocaite with all the indexers :
Was able to reterive only the below log
01-29-2018 10:06:30.048 +0000 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://X.X.X.X:8089 for usage breakdown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That means you have not forwarded the internal logs to indexer. In that case run the query from Licence Master.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am running the query from license master only
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
