Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me elaborate each line of this search?

imarri
Engager
‎08-31-2022 11:55 PM

Hello Everyone, I was working on Alert creation for License Expire. And I got Search Query for the same.

But Can you please help me to elaborate each line.  Thanks in Advance. Like why | rest, | join and rest all commands are used.

(1) :

| rest splunk_server_group=local /services/licenser/licenses
| join type=outer group_id splunk_server [
rest splunk_server_group=local /services/licenser/groups
| where is_active = 1
| rename title AS group_id
| fields is_active group_id splunk_server]
| where is_active = 1
| eval days_left = floor((expiration_time - now()) / 86400)
| where NOT (quota = 1048576 OR label == "Splunk Enterprise Reset Warnings" OR label == "Splunk Lite Reset Warnings")
| eventstats max(eval(if(days_left >= 14, 1, 0))) as has_valid_license by splunk_server
| where has_valid_license == 0 AND (status == "EXPIRED" OR days_left < 15)
| eval expiration_status = case(days_left >= 14, days_left." days left", days_left < 14 AND days_left >= 0, "Expires soon: ".days_left." days left", days_left < 0, "Expired")
| eval total_gb=round(quota/1024/1024/1024,3)
| fields splunk_server label license_hash type group_id total_gb expiration_time expiration_status
| convert ctime(expiration_time)
| rename splunk_server AS Instance label AS "Label" license_hash AS "License Hash" type AS Type group_id AS Group total_gb AS Size expiration_time AS "Expires On" expiration_status AS Status

----
(2)

| rest /services/licenser/licenses/
| eval now=now()
| eval expire_in_days=(expiration_time-now)/86400
| eval expiration_time=strftime(expiration_time, "%Y-%m-%d %H:%M:%S")
| table group_id expiration_time expire_in_days

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2022 12:09 AM

Hi @imarri,

this is an alert coming from The Monitor Console.

in few words:

  • first rest extarct the license values,
  • the join connect this value with the groups,
  • the evenstats command count the license use for each Splunk Server,
  • last rows check the consuption value with the license value and filter the violations or the near violations results.

If you have problems to read this search I hint to follow the Search Tutorial (http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...