- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to create an alert to trigger when the license...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create an alert to trigger when the license usage of a Splunk Cloud reaches 90%?
Hi Team,
We want to get it notified before we are exceeding our daily limits so that it will be really helpful to configure and alert the requested users so that we can avoid license violation.
Kindly help with a specific search query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can thank @c.boggs or @cboggs or @cboggs1 OR @cboggs8625 (Christopher Boggs) for this one:
You need to add your own:
| where predicted_volume>=XXX
then save it as an alert and run it every hour over at least the last 7 days.
index="_internal" AND source="*license_usage.log*" AND type="Usage"
| timechart span=1h sum(b) AS volume_b
| predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24
| addinfo
| where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d")
| fields - info*
| eval merged = coalesce(volume_b, prediction)
| stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far
| eval volume_so_far=round(volume_so_far/1024/1024/1024,2)
| eval predicted_volume=round(predicted_volume/1024/1024/1024,2)
But seriously, just get a FREE No Enforcement license add-on and forget about it until the salesmen come calling.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hah! that is all @martin_mueller with only slight tweaks for my own purposes as an alert... I take no credit!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My notes show that you slacked it at some point. I will credit @martin_mueller from now on. How many splunk logins do you have anyway?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will add that most license alerts of >90% are useless without some kind of prediction, as once you hit that point it's usually too late unless you shut off the majority of your logging for the rest of the day. That's why I decided to use a search like this, that will notify me earlier in the day that I've got a unusual spike and that at the current rate I'll exceed the license... It's invaluable even if you have a no-enforcement license, to help notify you of errant hosts (or even large groups of hosts) sending more data than usual. Something more efficient could be written to look at events per second averages or something, but this does the job.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly help on the request.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
