Splunk Cloud Built-in License Alert broken

michael_bates_1 · ‎06-16-2017

I am working on a Splunk Cloud deployment and have attempted to enable the built-in (splunk_instance_monitoring) alerts for license violations.

I have stripped away the bulk of the alert search to locate the broken component and it at the very front

| rest splunk_server_group=sim_group_license_master /services/licenser/pools

It appears that there is no such group as sim_group_license_master or at the least, it returns no data.

I have also attempted the License Monitor app off splunkbase and this uses the same rest endpoint.

How do I get this alert to work.
And no, I am aware of searching the _internal for license events, the problem is Splunk have provided broken functionality.

Any help appreciated.

ytenenbaum_splu · ‎11-09-2017

These alerts are now removed in version 7.0.1 which will be released in the future

woodcock · ‎06-16-2017

Open a support case; this is clearly a bug.

ytenenbaum_splu · ‎07-06-2017

The /services/licenser/pools API endpoint is there in order to access the licenser pools configuration and in Splunk Cloud we do not support license pools as described here: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Service/SplunkCloudservice (" License pooling: You cannot use license pooling in Splunk Cloud").
To alert on license usage in Splunk Cloud use index=_internal source=license_usage.log type="RolloverSummary" etc...

Splunk Cloud Built-in License Alert broken

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases