Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Use the license usage report view

This topic is about using the license usage report view (LURV). To learn about the view, read the previous topic, About the Splunk Enterprise license usage report view.

Set up an alert

You can turn any of the LURV panels into an alert. For example, say you want to set up an alert for when license usage reaches 80% of the quota.

  1. Start at the Today's percentage of daily license usage quota used panel.
  2. Click "Open in search" at the bottom left of a panel.
  3. Append | where '% used' > 80
  4. Select Save as > Alert and follow the alerting wizard.

Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.

Troubleshoot LURV

No results in "Last 30 days" tab

A lack of results in the panels of the Last 30 days view of the License Usage Report View indicates that the license master on which you are viewing this page cannot find events from its own $SPLUNK_HOME/var/log/splunk/license_usage.log file.

This typically has one of two causes:

  • The license master is configured to forward its events to the indexers (read more about this best practice in the Distributed Search Manual) but it has not been configured to be a search head. This is easily remedied by adding all indexers to whom the license master is forwarding events as search peers.
  • The license master is not reading (and therefore, indexing) events from its own $SPLUNK_HOME/var/log/splunk directory. This can happen if the [monitor://$SPLUNK_HOME/var/log/splunk] default data input is disabled for some reason.

You might also have a gap in your data if your license master is down at midnight.

Single-source type license limitations

An instance that has both a single-source type license and an Enterprise license does not always show accurate information.

About the Splunk Enterprise license usage report view
About the app key value store

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters