splunk license usage by indexer not on GUID

gnanaraj_mcc · ‎07-02-2019

i am looking for the splunk query to run on the license manager to find out the license usage by indexer name. The license usage log dont have the indexer name, it got only the GUID of the indexer in a field called i. license manager is running 7.0.4 version of splunk

mdsnmss · ‎07-02-2019

index=_internal source=*license_usage.log type="Usage" idx=* st=* 
| rename i as guid 
| join guid 
    [| rest splunk_server=<cluster_master> /services/cluster/master/peers 
    | rename title as guid 
    | fields guid label] 
| bin _time span=1d 
| stats sum(b) as b by _time, label

You can add/remove values as you need and adjust time as needed. What this does is just pulls guid/label info from the master and joins it to the guid. If you aren't clustered we might have to find a different endpoint to hit to grab that info.

gnanaraj_mcc · ‎07-02-2019

Hi mdsnmss,

thanks for your reply. however, this query didn't return any results. i ran this from the license manager GUI. We manage centralized licensing. We create license pool for our internal departments and those departments point their indexers to the license master. These departments want license report by indexers.

Do you know how to pull license usage by indexers in this case?

sloshburch · ‎07-16-2019

That seems like it should have worked. Did you replace <cluster_master>? Perhaps share your SPL or results?

splunk license usage by indexer not on GUID

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases