Splunk Alert when license reaches 80% of usage and is about to expire.

JuhiSaxena — Tue, 29 Sep 2020 21:44:32 GMT

We are using following query however would want some validation on it. What should be the earliest and latest time spans?

index=_internal source=license_usage.log type=Usage earliest=-0h@d latest=now splunk_server= pool=*
| eval KB=round(b/1024) | eval MB=round(KB/1024,2) | eval GB=round(MB/1024,2) | eval TB=round(GB/1024,2)
| stats sum(MB) as TotalUsed, sum(b) as TotalBytesUsed by pool, poolsz
| eval perc = tostring(round(TotalBytesUsed/poolsz*100,4))."%"
| eval poolsz = case("MB"="TB", poolsz/1024/1024/1024/1024, "MB"="GB", poolsz/1024/1024/1024, "MB"="MB", poolsz/1024/1024, "MB"="KB", poolsz/1024)
| eval poolsz =tostring(poolsz)." MB"
| eval TotalUsed = tostring(TotalUsed)." MB"
| rename pool as "License Pool", poolsz as "Pool Size", TotalUsed as "Total Used", perc as "Percent Used" | table "License Pool" "Pool Size" "Total Used" "Percent Used"| search "Percent Used">80

Also we need to know what should be the date time range for the alert to be run [should it be all time].

Re: Splunk Alert when license reaches 80% of usage and is about to expire.

adonio — Wed, 24 Oct 2018 01:46:29 GMT

you have prebuilt alert for it in splunk
settings -> Monitoring Console -> settings (dropdown) -> Alerts Setup
enable and modify thresholds to the following:
DMC Alert - Expired and Soon To Expire Licenses
DMC Alert - Total License Usage Near Daily Quota

or copy the searches, pay attention to macros (use the job inspector to see full search)

Hope it helps

p.s. license should probably run daily or every 4 hours or so.
most of the time i have seen users alert if at mid day, they are more than 50% daily license usage.
you can apply the same principal

topic Re: Splunk Alert when license reaches 80% of usage and is about to expire. in Alerting

Splunk Alert when license reaches 80% of usage and is about to expire.

Re: Splunk Alert when license reaches 80% of usage and is about to expire.