Is there a recommended saved search I can run on the indexer to alert me when the daily indexing volume is approaching the license limit?
You can try using this search to check your license violations:
index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0
see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680
You may want to use this query if you issue the search from a search head with several indexers:
index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff>0
And there is more information about licenses here:
http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume
I just set one up for earliest -2d
latest now
time bounds and 0 1 * * *
cron schedule.
Note: this search needs to be run over a two day period, to compare yesterday's results to today's.
You can try using this search to check your license violations:
index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0
see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680
none of these answers seem to work in 6.x
Hi awurster,
the examples provided were for Splunk 4.x and the license_audit.log
is deprecated now; see the docs license_audit.log Deprecated. Look at license_usage.log instead of here.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/WhatSplunklogsaboutitself
Use the license_usage.log
or if you're on Splunk 6.2.x use DMC
and its pre-build alerts http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole
cheers, MuS