Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the License Usage Report View

This topic is about using the license usage report view. To learn about the view, read the previous topic, "About Splunk's license usage report view."

Set up an alert

You can turn any of the LURV panels into an alert. For example, say you want to set up an alert for when percentage reaches 80% of the quota.

Start at the Today's percentage of daily license usage quota used panel. Click "Open in search" at the bottom left of a panel. Append

| where '% used' > 80

then select Save as > Alert and follow the alerting wizard.

Read more about alerts in the Alerting Manual.

Troubleshoot LURV

No results in 30 days tab

A lack of results in the panels of the "Last 30 days" view of the License Usage Report View indicates that the license master instance on which this page is viewed is unable to find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log file when searching.

This typically has one of two causes:

  • The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers.
  • The license master is not reading (and therefore, indexing) events from its own $SPLUNK_HOME/var/log/splunk directory. This can happen if the [monitor://$SPLUNK_HOME/var/log/splunk] default data input is disabled for some reason.

You might also have a gap in your data if your license master is down at midnight.

Find more about values labeled "Other"

All visualizations in the "Previous 30 days" panels limit the number of values that are plotted for any field you split by. If you have more than 10 distinct values for any of these split-by fields, the values after the 10th are aggregated and labeled "Other." We've set this maximum to 10 using timechart. We hope the limit of 10 gives you enough information most of the time without making the visualizations difficult to read.

If you need more information about data labeled "Other" on a panel:

  • On the panel in question, click Open in search (the spyglass icon).
  • In the search bar, add a limit higher than 10 to the timechart command. For example, if you want 40 values, append limit=40 after timechart and before AS in the search string.
PREVIOUS
About the Splunk License Usage Report View
  NEXT
Apps and add-ons

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters