All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk on Splunk: How to find who is using up our license and why isn't it working for all indexers?

splunksurekha
Path Finder
‎01-23-2015 02:31 AM

Hi,

I have installed SOS app but am unable to find who is using up our license and why it isn't working for all indexers
Need your help here asap. If you need more details let me know.

Though 13 months older data is getting deleted on regular basis.

Thanks
Surekha

0 Karma
Reply

bmacias84
Champion
‎08-25-2015 07:32 PM

Are you using splunk 6.1 or higher. Consider setting the Splunk management console.

This may give you want you want. http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/ConfiguretheMonitoringConsole

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎08-25-2015 04:09 PM

You can view license usage from the license master : 

https://127.0.0.1:8000/en-US/manager/search/licenseusage

from here you can split by source, sourcetype, index, host etc..

0 Karma
Reply

kendrickt
Path Finder
‎01-23-2015 03:44 AM

Have you tried running the Splunk built in report to see what's heavy on your indexers?

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx
Reply

splunksurekha
Path Finder
‎01-27-2015 12:19 AM

Hi,

This query doesn't return me any result. Says No Result Found.
Can you please help me in knowing this frm the server/backend level meaning from the idx servers and going to the licenseusage.log file. Because i can view the log file. Is there anything which i can look for in the license_usage.log file to know who is consuming more.

Thanks
Surekha

0 Karma
Reply

mikelanghorst
Motivator
‎08-07-2015 09:42 AM

splunksurekha -
Are you either running the search on your License Master or are you sure that the license master is forwarding to your indexers? Looking at the license log itself it going to be to be difficult, since it's only reporting in small increments. Something like the search kendrickt gives is what you'll need to show how it adds up.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...