- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Email actions for Builtin Licensing alerts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Just wanted to ask does anybody know how I can set the built-in licensing alerts to send out email to me whenever it is hit? What file do I need to edit and what parameters should I add.
Thanks A lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is simple to write your own scheduled search that fires a licensing alert.
As an example, this is a search that will fire an alert when the total daily license usage exceeds ~ 10 GB.
To target the previous calendar day , I use earliest "-1d@d" , latest "@d" , and schedule the search to run once a day at midnight.
index=_internal source=*license_usage* pool="your_license_pool" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where 'sum(GB)' > 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In >=4.3, you can use the new "index=_internal sourcetype=splunkd type=RolloverSummary" event to easily alert if the previous day had indexed more than a certain percentage of the available license pool without having to write a search that does any calculations.
Create a search that looks like:
earliest=@d latest=now sourcetype=splunkd index=_internal type=RolloverSummary | where b > poolsz*0.8
This search will yield a result if the bytes indexed are greater than 80% of the pool size. Adjust the comparison to suit your needs
Schedule it to run early in the morning, but not at midnight. This event will be inserted shortly after midnight, so schedule this to run at 1am or something
Alert if the search count returns more than zero results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this, walkeran. This is a much faster and more flexible solution than the previous. However, it's not totally correct. Your search will only produce results if a single indexer in the pool has exceeded the pool allocation. What is needed, is to find if all of the indexers in the pool combined have exceeded the allocation.
Here is the modified solution:
earliest=@d latest=now sourcetype=splunkd index=_internal type=RolloverSummary source=*license_usage.log |stats sum(b) as usage by pool, poolsz| where usage > poolsz|eval usage = usage/1024/1024/1024| eval poolsz = poolsz/1024/1024/1024
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is simple to write your own scheduled search that fires a licensing alert.
As an example, this is a search that will fire an alert when the total daily license usage exceeds ~ 10 GB.
To target the previous calendar day , I use earliest "-1d@d" , latest "@d" , and schedule the search to run once a day at midnight.
index=_internal source=*license_usage* pool="your_license_pool" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where 'sum(GB)' > 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Important note! Starting in version 4.3, the search in this answer will match more events than you want it to, and essentially cause the result to be the sum of the previous two days worth of indexed data.
To keep the functionality the same, one should also add "type=Usage" to the search. The easier alternative, however, would be to use the "type=RolloverSummary" event which contains a total of the previous days usage. ( see my alternative answer to this question http://splunk-base.splunk.com/answer_link/55212/ )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien's solution forces you to put an arbitrary number in the search. How can I do this and reference the pool size? I only care if the limit was exceeded and this search needs to automatically adjust if the pool size is adjisted.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Configure your email server settings in :
Manager >> System settings >> Email alert settings
2) And then configure your scheduled search to fire an email :
Manager >> Searches and reports >> Your Search
Start time = -1d@d
End time = @d
Schedule this search = tick checkbox
Schedule type = basic
Run every = day at midnight
Condition = if custom condition is met
Custom condition search = search count > 0
In the "Alert actions" section, enable "Send Email" , and specify the email addresses to send to and a custom subject line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thanks for the answer, but how do I send out an email if this alert is hit? thanks
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
