Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get Splunk license utilization for the last 3 months

pratapa
Explorer
‎02-03-2020 09:52 PM

Can you please let us know how to get Splunk license utilization for the last 3 months.

We would like to know through query.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2020 12:38 AM

Hi @pratapa,
you can use the usual dashboard with license usage and modify it for a period of 90 days instead 30 days:

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-90d@d   
| eval _time=_time - 43200 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-90d@d 
| eval _time=_time - 43200 
| bin _time span=1d 
| dedup _time stack 
| stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

or to use the Splunk License Usage App ( https://splunkbase.splunk.com/app/174/ ).

Only one attention: be sure that the retention of _internal index is more than 90 days, otherwise you haven't your results.

Ciao.
Giuseppe

0 Karma
Reply

rahul2gupta
Path Finder
‎07-16-2020 11:43 PM

Hi @gcusello ,

I ran the following query but able to get only last 30 days license uasge.

Could you please suggest what modifications needs to be done to get last 90 days usage.

index=_internal source=*license_usage.log* type="RolloverSummary" earliest=-90d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log* type="RolloverSummary" earliest=-90d@d
| eval _time=_time - 43200
| bin _time span=1d
| dedup _time stack
| stats sum(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

us1.PNG

us2.PNG

Regards,

Rahul

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2020 12:29 AM

Hi @rahul2gupta,

probably the problem isn't on the search but on the logs: internal logs has usually a retention of 30 days.

if you want more than 30 days, you have to extend the retention period of _internal index (with more storage occupation, or schedule a search that every night calculate the sum of day license consumption and store this information in a summary index.

Ciao.

Giuseppe

Reply

rahul2gupta
Path Finder
‎07-17-2020 01:37 AM

Thank you @gcusello legend.

Regards,

Rahul

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2020 11:50 PM

Hi at all, 

thank you for your Karma Point, please, accept the answer for the other people of the Community.

Ciao and next time.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-17-2020 12:25 AM

it needs that your retention time for _internal is at least 90 days. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...