Is there a way to create an alert to notify us if ...

kiran_mh · ‎06-16-2016

Hi

Is there a way an alert can be created to notify us about the license expiration of a heavy forwarder?
For example, we want to get notified when the license for heavy forwarder is about to expire in say 30 days...?

somesoni2 · ‎06-17-2016

Do you've a separate license master OR each Heavy forwarder and Indexer in your setup has licenses installed in them?

kiran_mh · ‎06-20-2016

We don't have a license master , each heavy forwarder have licenses installed in them itself....

ryanoconnor · ‎06-16-2016

The following search should be what you need:

|rest /services/licenser/licenses | search status=VALID label!="Splunk Forwarder" AND label!="Splunk Free" | eval time_to_expire(days)=(expiration_time - now())/86400 | table time_to_expire(days) | search "time_to_expire(days)"<30

Depending on how your licenses are set up, this may need to be modified slightly, but on a test instance with just one Splunk License installed, this works the way you'd expect.

kiran_mh · ‎06-16-2016

thanks for your reply ryanoconnor.....but I m not getting results when I run the query

Currently we have 8 heavy forwarders and 1 deployment server in our instance, splunk cloud 6.4

ryanoconnor · ‎06-17-2016

Is the deployment server also a license master?

ryanoconnor · ‎06-17-2016

The search I provided you should be able to run directly from your license master (if you have one on prem) or if each Heavy Forwarder has it's own license installed, you could run it on each one. I would highly recommend setting up a license master if you don't have one already.

Is there a way to create an alert to notify us if the license is going to expire for a heavy forwarder?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes