Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an alert to trigger when the license usage of a Splunk Cloud reaches 90%?

anandhalagaras1
Communicator
‎12-06-2019 05:52 AM

Hi Team,

We want to get it notified before we are exceeding our daily limits so that it will be really helpful to configure and alert the requested users so that we can avoid license violation.

Kindly help with a specific search query.

Tags (1)
Reply

woodcock
Esteemed Legend
‎12-06-2019 04:06 PM

You can thank @c.boggs or @cboggs or @cboggs1 OR @cboggs8625 (Christopher Boggs) for this one:

You need to add your own:

| where predicted_volume>=XXX

then save it as an alert and run it every hour over at least the last 7 days.

index="_internal" AND source="*license_usage.log*" AND type="Usage"
| timechart span=1h sum(b) AS volume_b 
| predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24
| addinfo 
| where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d") 
| fields - info*
| eval merged = coalesce(volume_b, prediction) 
| stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far 
| eval volume_so_far=round(volume_so_far/1024/1024/1024,2)
| eval predicted_volume=round(predicted_volume/1024/1024/1024,2)

But seriously, just get a FREE No Enforcement license add-on and forget about it until the salesmen come calling.

0 Karma
Reply

cboggs
Explorer
‎12-06-2019 07:59 PM

Hah! that is all @martin_mueller with only slight tweaks for my own purposes as an alert... I take no credit!

Reply

woodcock
Esteemed Legend
‎12-06-2019 08:13 PM

My notes show that you slacked it at some point. I will credit @martin_mueller from now on. How many splunk logins do you have anyway?

0 Karma
Reply

cboggs
Explorer
‎12-06-2019 08:05 PM

I will add that most license alerts of >90% are useless without some kind of prediction, as once you hit that point it's usually too late unless you shut off the majority of your logging for the rest of the day. That's why I decided to use a search like this, that will notify me earlier in the day that I've got a unusual spike and that at the current rate I'll exceed the license... It's invaluable even if you have a no-enforcement license, to help notify you of errant hosts (or even large groups of hosts) sending more data than usual. Something more efficient could be written to look at events per second averages or something, but this does the job.

Reply

anandhalagaras1
Communicator
‎12-06-2019 06:56 AM

Kindly help on the request.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...