Re: How do i check how much i am exceeding my lice...

chiash · ‎03-27-2018

I have a Splunk 6.5.2 deployment that already has 18 hard violations, therefore my search has been restricted to internal logs.

I would like to find out how much data has been ingested on each of these specific 18 days so that I know exactly how much I am exceeding the license limit by before I decide if I could reduce the amount of logs sent to Splunk or if I should consider increasing my license limit.

Elsurion · ‎03-27-2018

Hello

You might try this search, you say you can run searches only on _internal, then it should work. Just take a 30day Timeframe.

index=_internal source=*license* type="Usage"
| fields st, idx, h, b, _time
| bucket _time span=1d
| stats sum(b) as bytes by _time
| eval gb=round(bytes/1024/1024/1024,3)
| table _time gb
| rename gb as GB/day

Richfez · ‎03-27-2018

You can likely find your answers in the Distributed Monitoring Console - DMC, or in the Splunk Enterprise license usage report. Here are the docs for the DMC or more specifically to the Licensing section of it (which matches the Licensing report directly.)

chiash · ‎03-27-2018

Thanks for the answer. I have tried looking at the license usage report. I am able to see the data for the current day only. When i tried to click the "previous 30 days" tab the charts turn up to be empty. I assumed that's because my license has been violated they have restricted the search capabilities, is this wrong?

splunker12er · ‎03-28-2018

No. You can still able to search internal logs.
Try this query from your search application - it gives you how much amount of data indexed by host, source.

index=_internal source=*license_usage* type=Usage | stats sum(b) as bytes by h s | sort - bytes

How to see how much I am exceeding my license limit by?

license

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases