Security

License monitoring

hartfoml
Motivator

I can run this search every hour
[ index=_internal sourcetype=splunkd Metrics "group=per_host_thruput" | stats sum(kb) AS Totalkb | Eval GB=round(Totalkb/1048576,2) | TABLE GB ]

I can put a | WHERE GB > (### "warring limit")
so that an alert does not trigger unless my license is about to be violated.

The question is when the trigger is met and the alert sends a message, how do I get the present date of the alert in the (| TABLE Date$Time GB) output of the search?

this search takes about 4 seconds to run and I can run it every hour so that i am alerted early in the day if something has changed that might cause a violation in my license.

Tags (1)
0 Karma
1 Solution

BobM
Builder

You can use bucket to create a date field and then convert to format it as M/D/Y

index=_internal sourcetype=splunkd Metrics "group=per_host_thruput"| bucket _time span=1d as date| stats sum(kb) AS Totalkb by date | Eval GB=round(Totalkb/1048576,2) |convert  timeformat="%m/%d/%Y" ctime(date)  | TABLE date GB

View solution in original post

BobM
Builder

You can use bucket to create a date field and then convert to format it as M/D/Y

index=_internal sourcetype=splunkd Metrics "group=per_host_thruput"| bucket _time span=1d as date| stats sum(kb) AS Totalkb by date | Eval GB=round(Totalkb/1048576,2) |convert  timeformat="%m/%d/%Y" ctime(date)  | TABLE date GB

hartfoml
Motivator

Sorry I left out some info on this.

if I run this on this schedule */60 * * * * for h24@h then I get the total size of data captured in the last 24 hour of the report time. I could also run this on */30 * * * to narrow the time to catch a violation. since this is looking back on the past 24 hours then you catch the violations before your actual 24 hour license measurement is taken.

this is the output of the search.

GB

1 ##.##

I would like to get this output

Date GB

1 mm/dd/yy ##.##

Any suggestions would help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...