Just sharing a query I found useful lately when licensing dashboards are being silly. Mileage may vary. index=”_introspection” component=”licensing.stack”| bucket _time span=1d | stats latest(“data.consumption”) as dataConsumption latest(“data.pools{}.quota”) as poolQuota by _time| eval pctUsed=(dataConsumption/poolQuota * 100)| timechart span=1d max(pctUsed)
License Usage by Pool per hour for last 24 hours
Have a misbehaving License Pool that the admin swears he fixed this morning? index=_internal source=*license_usage.log* type=Usage earliest=-24h| bucket _time span=1h | stats sum(b) as bytes by _time, pool | eval GB = round(bytes/1024/1024/1024,5) | fields _time pool GB
License Usage by Index per Day
The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period. index=_internal source=*license_usage.log type=”Usage” splunk_server=* earliest=-1w@d | eval Date=strftime(_time, “%Y/%m/%d”) | eventstats sum(b) as volume by idx, Date […]
Percentage of Daily License Usage
This Splunk search query will indicate the percentage of license used for the current day. This is already shown in the licensing tab under settings, however this query is extracted if you would want to use it within a dashboard or any other reason. NOTE – splunk_server= should be set to your license master. […]
Top 5 License Consuming Hosts
The following Splunk search query will return the top five licensing consuming hosts: index=_internal source=*license_usage.log type=”Usage” | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 5 – GB
License Usage by Sourcetypes
The following Splunk query will return results for license usage by sourcetype: index=_internal source=”*license_usage.lo*” type=Usage | stats sum(b) as bytes by st | eval Megabytes=bytes/1048576 |eval Megabytes=round(Megabytes,2) | fieldformat Megabytes=tostring(Megabytes,”commas”)| rename st as sourcetype | fields – bytes | sort – Megabytes
Splunk License Usage Over the Last 30 Days
The following Splunk Search will show license usage over the past 30 days: index=_internal source=*license_usage.log type=”RolloverSummary” earliest=-30d@d | eval _time=_time – 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS “volume” fixedrange=false | join type=outer _time [ search index=_internal source=*license_usage.log type=”RolloverSummary” earliest=-30d@d | eval _time=_time […]
Splunk License Gauge
This Splunk search query will show current license usage | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) […]
