Alerting

Licence expiration date - Alert

Gilgalidd
Path Finder

Hello,

I would like to create an alert at 90, 30 and 5 days before the expirationte of my enterprise licence.
I've made a lot of search but I didn't find anything related to this subject.

Is it possible to retrieve the expiration date from a search query and use it to create alerts?

Thanks.

llee_splunk
Splunk Employee
Splunk Employee

If you are using the Distributed Management Console (v6.2 to v6.4) / Monitoring Console (v6.5+) to monitor your Splunk deployment, there is a platform alert (i.e. saved search) that you can enable for “Expired and Soon To Expire Licenses” (with the desired alert action) which will fire when you have licenses that have expired or will expire within two weeks (default setting).

About the Monitoring Console
http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

Platform alerts overview
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts

Enable platform alerts
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Enable_platform_alerts

Which alerts are included?
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Which_alerts_are_included.3F

0 Karma

Gilgalidd
Path Finder

Thanks for informations.

Now I can have an email with the days remaining to the expiration/renew of all licenses.

Can I have the results for a specific pool?
It will avoid to display unnecessary licences informations like the free licence and expired licence (detached to the pool).

0 Karma

bgaignon
Path Finder

I was not able to make somesoni2's search working but it looks like the pool is specified at the end, so you might be able to add a filter at the end to specify your pool.

For my search there is mutliple fields that can be used for that:
try this search:

| REST /services/licenser/licenses/

id  group_id    label   stack_id    type    status
https://127.0.0.1/services/licenser/licenses/0D8FAF9CC8C    Trial   Splunk Enterprise Download Trial    download-trial  download-trial  EXPIRED
https://127.0.0.1/services/licenser/licenses/1AF1CC17539    Enterprise  Splunk Enterprise   enterprise  enterprise  VALID 

group_id or label should be enough for your need.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Another option (query from License Usage Report page in license master ), handles multiple pool implementation.

| rest splunk_server=local /services/licenser/messages | where (category=="license_window" OR category=="pool_over_quota") AND create_time >= now() - (30 * 86400) | rename pool_id AS pool | eval warning_day=if(category=="pool_over_quota","(".strftime(create_time,"%B %e, %Y").")",strftime(create_time-43200,"%B %e, %Y")) | fields pool warning_day | join outer pool [rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | eval slave_name=label | eval pool=active_pool_ids | fields pool slave_name | stats values(slave_name) as "members" by pool] | join outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval quotaGB=round(quota/1024/1024/1024,3) | fields pool stack_id, quotaGB] |stats first(pool) as "Pool" first(stack_id) as "Stack ID" first(members) as "Current Members" first(quotaGB) as "Current Quota (GB)" values(warning_day) AS "Warning Days - (Soft)/Hard" by pool | fields - pool

bgaignon
Path Finder

I think this is a good start:

| REST /services/licenser/licenses/ 
| eval now=now()
| eval expire_in_days=(expiration_time-now)/86400
| eval expiration_time=strftime(expiration_time, "%Y-%m-%d  %H:%M:%S")
| table group_id expiration_time expire_in_days

That give you the expiration in days, so you just have to setup the alert on expire_in_days<90, 30 or 5.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...