We upgraded to 6.5.2 recently and was under the impression that 6.5 keeps license usage history over 30 days (unlike the older 6.2, etc..)
When I check out LURV or try to run a few searches, I can still only see 30 days worth of license usage data.
Has anyone been able to identify a way to generate a report of license usage over, say, the past 6 months to try to determine growth projections and whether additional license will need to be purchased over X months etc.. ?
Any help is appreciated.
If the problem is that events are expiring out of _internal
or _telemetry
while you still need them and you cannot extend the retention, you can create a summary index (which will be TINY) and schedule a saved search to run nightly that dumps a daily summary and you can search from that.
In addition to this, you can adjust the retention time of the _internal index. This is where the metrics and license usage data is stored. Extend that to 6 /9 / 12 months etc.
Just be aware of the implications this would have on disk space on your indexers.
I wish I could set _index to over 30 days though like you said, that would use up a lot of disk space.
I was under the impression _telemetry would save licensing data and that by default is kept for 6 months.
Get the search from the Monitoring Console
:
https://docs.splunk.com/Documentation/Splunk/6.6.1/DMC/DMCoverview
Then use the timewrap
command:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Timewrap
I've tried this before and now again, even after adjusting the 'earliest' value or using timewrap it only shows me the last 30 days.
It seems to use the _internal index which is only retained for 30 days, but I thought 6.5.x and higher was using _telemetry index for licensing which is stored for 6 months.
Any other ideas?