Hi
Is there a way an alert can be created to notify us about the license expiration of a heavy forwarder?
For example, we want to get notified when the license for heavy forwarder is about to expire in say 30 days...?
Do you've a separate license master OR each Heavy forwarder and Indexer in your setup has licenses installed in them?
We don't have a license master , each heavy forwarder have licenses installed in them itself....
The following search should be what you need:
|rest /services/licenser/licenses | search status=VALID label!="Splunk Forwarder" AND label!="Splunk Free" | eval time_to_expire(days)=(expiration_time - now())/86400 | table time_to_expire(days) | search "time_to_expire(days)"<30
Depending on how your licenses are set up, this may need to be modified slightly, but on a test instance with just one Splunk License installed, this works the way you'd expect.
thanks for your reply ryanoconnor.....but I m not getting results when I run the query
Currently we have 8 heavy forwarders and 1 deployment server in our instance, splunk cloud 6.4
Is the deployment server also a license master?
The search I provided you should be able to run directly from your license master (if you have one on prem) or if each Heavy Forwarder has it's own license installed, you could run it on each one. I would highly recommend setting up a license master if you don't have one already.