Alerting

How do I alert on license violations?

matt
Splunk Employee
Splunk Employee

Is there a recommended saved search I can run on the indexer to alert me when the daily indexing volume is approaching the license limit?

1 Solution

benstraw
Splunk Employee
Splunk Employee

You can try using this search to check your license violations:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0

see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680

View solution in original post

chris
Motivator

You may want to use this query if you issue the search from a search head with several indexers:

index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff>0

And there is more information about licenses here:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Jason
Motivator

I just set one up for earliest -2d latest now time bounds and 0 1 * * * cron schedule.

0 Karma

Jason
Motivator

Note: this search needs to be run over a two day period, to compare yesterday's results to today's.

benstraw
Splunk Employee
Splunk Employee

You can try using this search to check your license violations:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0

see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680

awurster
Contributor

none of these answers seem to work in 6.x

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi awurster,
the examples provided were for Splunk 4.x and the license_audit.log is deprecated now; see the docs license_audit.log Deprecated. Look at license_usage.log instead of here. http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/WhatSplunklogsaboutitself
Use the license_usage.log or if you're on Splunk 6.2.x use DMC and its pre-build alerts http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole

cheers, MuS

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...