License Usage Reporting Gets Some “LURV” in Splunk 6

Since Splunk is licensed by indexing volume per day, it’s probably good to know what your volume of indexed data per day is, right? Are you using a little bit of your license? Are you using most of your license? Are you blowing out your Splunk license regularly and hopefully love the product and need to get more? In the past, there have been several ways to get better visibility into your license consumption. There are license usage dashboards in S.o.S, Deployment Monitor, and a License Usage App on the Splunk apps page. If you were savvy with the Splunk search language, and didn’t mind getting your hands dirty, perhaps you even tried to craft your own using the data found in $SPLUNK_HOME/var/log/splunk/license_usage.log.

All of these approaches are fine and in fact S.o.S and Deployment Monitor provide much much more information about your Splunk deployment than simply license usage. The only drawback here is that these apps require some forethought regarding installation although if you are administering a large Splunk environment, you probably have one or the other or both installed. I’ve always thought that understanding your license consumption is something so fundamental to the operation of Splunk, that it should be right there in our Manager or Settings menu, out-of-the-box, no brain required.

So that’s exactly what we did for Splunk 6. If you look in the “Settings” menu in Splunk 6, then “Licensing”:

There is a new button that shows up on your License Master (it will be hidden on License Slaves) called “Usage Report”:

Warning:  Clicking on this button may provide immediate Splunk license gratification.  The default page for the License Usage Reporting View (LURV) is your consumption of Splunk license today:

Out of the gate, in the upper left-hand corner, I get a simple reading of how much license I’ve used on this day against the aggregate of all licenses installed on this License Master, despite how I may have allocated my license.  In this particular case, we’re standing at 243GB of indexing today against a 1TB daily license.  Then, depending on how you have allocated your license pools, you will get a chart of volume in GB against pool size broken down by pool and then a percentage of usage against license pool also broken down by pool.  Below these, you will find a plethora of details about license warning per pool and which of the License Slaves are the violating culprits.

License Usage for today is very useful but I may also want to look at longer term trends on how I’m using my Splunk license with some other relevant splits.  The second tab gives us a view of how we’ve been consuming data for the last 30 days.

A brief aside on some details of license capture in Splunk.  When a License Slave is reporting usage to a License Master, we record the consumption by sourcetype, source, host, and index (new in Splunk 6!) in license_usage.log.  We guarantee full fidelity recording of sourcetype and index but if the tuple of sourcetype, source, host, and index reaches a threshold (currently 2000 in Splunk 6), we will squash details of source and host.  You can actually raise this limit in server.conf using the squash_threshold stanza although setting this higher might cause more memory consumption and the size of license_usage.log to explode.  Anyhow, what you see in this 30-day usage report might be squashed if you are splitting by host or source and the UI will tell you so when selecting this split-by.  Since these logs regarding license consumption can be voluminous, we’ve also given you the option to accelerate the reporting that drives this view because, hey, who has the time to sit around and wait for dashboards to load?  For example, if you select Split-by Host, you will see the following:

Clicking the “turn on acceleration for this report” will drop you directly into the Searches and reports view for that acceleration and you can enable acceleration from there.  So cool.

What if I’m not on Splunk 6 yet?  All is not lost.  The License Usage Reporting Views have been back-ported in S.o.S version 3.1 which runs on Splunk 4.3 and 5.0 and can be found under Indexing > Metrics.  Deployment Monitor continues to be a fully supported way of getting this information.

So add this one to the win column of stuff that makes your life easier.  Special thanks to Octavio and Splunk Support for their assistance with LURV, Jessica for docs, and Igor and Vainstein for development.

Patrick Ogdin
Posted by

Patrick Ogdin