Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

Splunk Licensing

http://127.0.0.1:8000/en-US/app/splunk_monitoring_console/search?q=search%20Denied%20%7C%20stats%20count(DPT)%20by%20SRC&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&earliest=%40mon&latest=now&display.page.search.tab=patterns&display.general.type=statistics&sid=1603753714.265&display.visualizations.charting.chart=pie

Changing to Free License:

  • Log in to Splunk Web as a user in the admin role
  • Select Settings > Licensing
  • Click Change License Group
  • Select Free license
  • Click Save
  • You are prompted to restart

See top LIcense Consumers

https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/AboutSplunksLicenseUsageReportView

On the monitoring console:

  • Navigate to Settings > Monitoring Console.
  • Navigate to Indexing > License Usage.
  • Select License Usage.

Usage Reports

  • Settings > System > Usage Report
  • 0 Quota means your license is invalid.
  • Switch license group to free for 500mb quota daily
  • You won’t get alerts in free version
  • You cannot have a password in free version

License View App

https://splunkbase.splunk.com/app/3521

LIcense View Searches

| rest splunk_server=splunk-master /services/licenser/pools | rename title AS Pool | search [rest splunk_server=splunk-master /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota" | where '% used' > 75