Alerting

License Violation Prediction

kristian_kolb
Ultra Champion

Hi, just wanted to share my efforts so far regarding an alert for predicting license violations.

I've formulated a search that will look at the license_usage.log and do some math depending on the time of day, in order to predict if there is a risk that there will be a license violation before the end of the day.

However, I've only had a fairly simple installation (1 search head, 2 indexers and only the auto_generated_pool_enterprise) to play with.

The search will set the Violation_Risk to "Yes" if you have more time than license space left at the time the search is run, e.g. if you have used up 53% of your license volume by 12 AM (noon, lunch, whatever you call it), the violation risk is set to "Yes", since you have less than half of the license volume left, but still have half a day (12 hours) to go before the license counter is reset.

index=_internal source="*license_usage.*" earliest=@d |eval GB=round(b/1024/1024/1024,1)| eval LGB=round(poolsz/1024/1024/1024,1)|stats sum(GB) AS GB_Today values(LGB) AS Limit_GB by pool | eval License_Percent_Usage=round(GB_Today/Limit_GB * 100,1) | eval Violation_Risk = if((round((((tonumber(strftime(now(), "%H")) * 60) + tonumber(strftime(now(),"%M"))) / 1440)* 100,1)) < License_Percent_Usage, "Yes", "No")

The output will look something like this.

 pool                               GB_Today  Limit_GB  License_Percent_Usage  Violation_Risk  
 auto_generated_pool_enterprise     4.0       20.0      20.0                   No 

You can/should set a scheduled search to run this query... say every hour, with the Custom Condition Search set to

search Violation_Risk = Yes OR License_Percent_Usage > 90

This will also give you an alert if the usage exceeds some value of your choice, in this case 90, regardless of how much time is left before midnight.

Feel free to suggest improvements - especially if you have a more complicated setup license wise (stacks, pools, whatnot).

Notes:

  • The algorithm is admittedly a bit crude, since it assumes an even usage over time.
  • Does anybody know from where Manager -> Licensing gets its usage values? It is a lot quicker than performing the search through the license_usage.log

Hope anyone finds this useful.

Kristian

SQservicedesk
Explorer

Kristian,
Your search is great, good work.
What I have found however, is that the result from your search is larger than the result shown on the "Manager > Licensing" page.

e.g.
- I ran your search and received a result showing that 28% was used.

- I immediately pulled the "Manager > Licensing" in another tab and it shows only 9.8%

Even though your search and manager > licensing summary are using the "auto_generated_pool_enterprise" pool, I can only conclude that your search shows raw usage values before indexing compression and the other screen shows after compression, or similar.

Problem is, I believe the value that will actually blow the limit is the compressed value. If I alerted on your search result, it would alert prematurely (not necessarily a bad thing) but it's not accurate.

Any ideas?

Andrew

kristian_kolb
Ultra Champion

Hi, and thanks for the feedback. I have not really touched this stuff since I wrote it more than a year ago. However I don't remember seeing figures that were so wildly off. Could it be that something changed since 4.3?

If you want to refine it, you should probably use the rest search approach instead of the license-usage.log (as mentioned by Ayn above). It is faster and I believe that this is what is used in Manager -> Licenses.

As for the compressed thing: No. License is measured as uncompressed data to be indexed.

0 Karma

Ayn
Legend

I'm guessing it gets its values from the licensing REST endpoints (http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlicense ).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...