All Apps and Add-ons

E-mail alert for license usage limit

crimsonmaverick
Engager

Hello everyone!

I want to create an email alert that will work if the license usage limit is used a certain number of Gb throughout the day. Monitoring should be carried out in real time.
The problem is that if set the presets to monitor in "All time (real time)", then the command is not processed and the alert doesn't work properly. Is it possible to implement this, and if so, in what way?

Version of Splunk: 6.5.0

The command used as an alert:

index=_internal source=*license_usage.log type="RolloverSummary"  | stats sum(b) AS used max(stacksz) AS quota by _time | eval usedGB=round(used/1024/1024/1024,3) | eval quotaGB=round(quota/1024/1024/1024,3) | table _time usedGB quotaGB | eval percentage=round(usedGB / totalGB, 1)*100 | eval usage = usedGB . " (" . percentage . "%)" | fields _time usedGB quotaGB usage | where 'usedGB' > 17

Thank you in advance!

0 Karma

tiagofbmm
Influencer

Hey

You can always use the time modified of splunk time to get that from the beginning of each day: earliest=@d

 index=_internal source=*license_usage.log type="RolloverSummary" earliest=@d | stats sum(b) AS used max(stacksz) AS quota by _time | eval usedGB=round(used/1024/1024/1024,3) | eval quotaGB=round(quota/1024/1024/1024,3) | table _time usedGB quotaGB | eval percentage=round(usedGB / totalGB, 1)*100 | eval usage = usedGB . " (" . percentage . "%)" | fields _time usedGB quotaGB usage | where 'usedGB' > 17

Aggietoe1
Explorer

I am new to Splunk and I am still trying to figure this out. Do I have to have a SA account to get this to work for me?

0 Karma

pl2345
Path Finder

You shouldn't need an SA account. I modified it because I was getting erros because of the lase eval statement to:

index=_internal source=*license_usage.log type="RolloverSummary" earliest=@d
| stats sum(b) AS used max(stacksz) AS quota by _time
| eval usedGB=round(used/1024/1024/1024,3)
| eval quotaGB=round(quota/1024/1024/1024,3)
| table _time, usedGB, quotaGB
| eval percentage=round(usedGB / totalGB, 1)*100
| eval usage = usedGB . " ("%)"
| fields _time, usedGB, quotaGB, usage
| where 'usedGB' > 17

From Splunk, enter the above modified search from tiagofbmm's, and adjust the 17 at the end to whatever usage you want it to alert on, and run it. Then click on Save As in the right hand corner of the New Search window and save it as an alert. Set up your alert preferences and save, and it should trigger whenever you set.

0 Karma

Aggietoe1
Explorer

I think I got it. I see where I went wrong. I have it set for Mon at 6 a.m. for one alert. I sent another one for later on today. We will see how it goes. Thank you for your help.

0 Karma

pl2345
Path Finder

No problem, let us know if you get it working or not.

0 Karma

Aggietoe1
Explorer

I thought I would expect to get some sort of email of an alert. unfortunately I am not getting anything.

I set up 4 different alerts with one triggers.

Title Actions Owner App Sharing Status
Disabled user accounts
Open in Search Edit user search Private Enabled
Test Alert 17gb
Open in Search Edit user search Private Enabled
Usage Alert 125gb
Open in Search Edit user search Private Enabled
index=windows "EventCode=4634"

Is there something in the Alert section I was suppose to click on in order for the alerts to work?

0 Karma

Aggietoe1
Explorer

I went and entered it in the search for far I am getting unbalanced quotes. I figuring out where I went wrong.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...