Today I have this search to alert me on license usage going beyond certain threshold:
Search: index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise"| eval GB=b/1024/1024/1024 | stats sum(GB) as current_license_usage_auto_generated_pool_GB by pool
Due to some reasons I am getting wrong results for the above ....How can I change this search to use rest endpoints ??
on 4.3, please specify a type of records, otherwise you may count things twice.
type=Usage
type=RolloverSummary
see the difference here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
Thanks I was able to get teh resulst with this search:
| rest /services/licenser/pools | where title= "auto_generated_pool_enterprise" | table used_bytes, title | eval GB=used_bytes/1024/1024/1024
BUT now when I set the same as saved search and try to send alert when GB>1 I see the following error:
DEBUG: search context: user="admin", app="tto_search", bs-pathname="/opt/splunk/etc"
INFO: No matching fields exist
WARN: Unable to fetch REST endpoint '/services/licenser/pools' from ''
ANY IDEA ???