Hello Everyone, I was working on Alert creation for License Expire. And I got Search Query for the same. But Can you please help me to elaborate each line. Thanks in Advance. Like why | rest, | join and rest all commands are used. (1) :
| rest splunk_server_group=local /services/licenser/licenses | join type=outer group_id splunk_server [ rest splunk_server_group=local /services/licenser/groups | where is_active = 1 | rename title AS group_id | fields is_active group_id splunk_server] | where is_active = 1 | eval days_left = floor((expiration_time - now()) / 86400) | where NOT (quota = 1048576 OR label == "Splunk Enterprise Reset Warnings" OR label == "Splunk Lite Reset Warnings") | eventstats max(eval(if(days_left >= 14, 1, 0))) as has_valid_license by splunk_server | where has_valid_license == 0 AND (status == "EXPIRED" OR days_left < 15) | eval expiration_status = case(days_left >= 14, days_left." days left", days_left < 14 AND days_left >= 0, "Expires soon: ".days_left." days left", days_left < 0, "Expired") | eval total_gb=round(quota/1024/1024/1024,3) | fields splunk_server label license_hash type group_id total_gb expiration_time expiration_status | convert ctime(expiration_time) | rename splunk_server AS Instance label AS "Label" license_hash AS "License Hash" type AS Type group_id AS Group total_gb AS Size expiration_time AS "Expires On" expiration_status AS Status ---- (2) | rest /services/licenser/licenses/ | eval now=now() | eval expire_in_days=(expiration_time-now)/86400 | eval expiration_time=strftime(expiration_time, "%Y-%m-%d %H:%M:%S") | table group_id expiration_time expire_in_days
... View more