"License Usage - Previous 30 Days" dashboard broke...

girtsgr · ‎02-27-2019

In a distributed environment the master "License Usage - Previous 30 Days" and "License Usage - Today", and the searched associated with them returns no data.

However, I get the data if I try this search:
index=_internal
[ set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_internal
[ set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <>=round('<>'/1024/1024/1024, 3)]
which I found here: https://answers.splunk.com/answers/618300/why-is-there-no-license-usage-data-available-in-sp.html

There are no errors or warning regarding dmc_licensing_summery_no_split in index="_internal". Is there anything I can do?

pkeenan87 · ‎02-28-2019

In a distributed environment you will need to make sure that your license master is forwarding its logs to the indexing tier similar to what you do with Search Heads. This guide should help out: https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Forwardsearchheaddata

girtsgr · ‎03-01-2019

It is. index="_internal" shows events from all the servers, including the licence masters.

divvyamehta · ‎02-27-2019

[ set_local_host] -> this will search for local host, is your local host the license master ? if not then instead of local host set it the name of your license master

girtsgr · ‎02-28-2019

Yes, it's the licence master.

"License Usage - Previous 30 Days" dashboard broken?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases