<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: alert on license usage in Alerting</title>
    <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32479#M331</link>
    <description>&lt;P&gt;I found this for Splunk 6.0 - &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples"&gt;http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 14 Apr 2014 09:07:19 GMT</pubDate>
    <dc:creator>amgoldschmidt</dc:creator>
    <dc:date>2014-04-14T09:07:19Z</dc:date>
    <item>
      <title>alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32474#M326</link>
      <description>&lt;P&gt;I need to create an email alert when at a specified period in the day, if our license usage is &amp;gt; #, send an email.&lt;/P&gt;

&lt;P&gt;So for example if at 14:00 license usage &amp;gt; 9000, alert&lt;/P&gt;

&lt;P&gt;I am using the following search to get my usage.&lt;/P&gt;

&lt;P&gt;index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | fields used&lt;/P&gt;

&lt;P&gt;Also how do I remove the decimals?&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 10:12:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32474#M326</guid>
      <dc:creator>mcbradford</dc:creator>
      <dc:date>2020-09-28T10:12:43Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32475#M327</link>
      <description>&lt;P&gt;I did it this way:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal sourcetype=license_usage* earliest=@d | eval GB=round(b/1024/1024,0) | 
stats sum(GB) as used by pool
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Not sure which version of Splunk you are using.  I did this on 4.2.3&lt;/P&gt;

&lt;P&gt;BTW, the fields command would remove the label for the pools, which would not be good if you had multiple license pools.  You might also consider adding &lt;CODE&gt;| addcoltotals&lt;/CODE&gt; to the end of command line.&lt;/P&gt;</description>
      <pubDate>Fri, 09 Dec 2011 19:36:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32475#M327</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2011-12-09T19:36:34Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32476#M328</link>
      <description>&lt;P&gt;This returned no results?&lt;/P&gt;

&lt;P&gt;This is what I am using to round&lt;/P&gt;

&lt;P&gt;index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB Used Today=round(used, 0) | fields "GB Used Today"&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 10:12:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32476#M328</guid>
      <dc:creator>mcbradford</dc:creator>
      <dc:date>2020-09-28T10:12:51Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32477#M329</link>
      <description>&lt;P&gt;I think I figured it out....&lt;/P&gt;

&lt;P&gt;This is my search...&lt;/P&gt;

&lt;P&gt;index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB_Used_Today=round(used, 0) | fields GB_Used_Today&lt;/P&gt;

&lt;P&gt;my custom condition is&lt;/P&gt;

&lt;P&gt;search GB_Used_Today &amp;gt; 5&lt;/P&gt;

&lt;P&gt;I plan to create and schedule probably about 4 searches throughout the day with the value "search GB_Used_Today &amp;gt; 5" "5" set to something different based on the time the search is run.&lt;/P&gt;

&lt;P&gt;My goal is to identify a spike (and possible stop the spike) before it causes a license violation. &lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 10:12:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32477#M329</guid>
      <dc:creator>mcbradford</dc:creator>
      <dc:date>2020-09-28T10:12:53Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32478#M330</link>
      <description>&lt;P&gt;I recently answered something similar here :&lt;/P&gt;

&lt;P&gt;&lt;A href="http://splunk-base.splunk.com/answers/35926/email-actions-for-builtin-licensing-alerts?page=1#35938"&gt;http://splunk-base.splunk.com/answers/35926/email-actions-for-builtin-licensing-alerts?page=1#35938&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 11 Dec 2011 08:41:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32478#M330</guid>
      <dc:creator>Damien_Dallimor</dc:creator>
      <dc:date>2011-12-11T08:41:08Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32479#M331</link>
      <description>&lt;P&gt;I found this for Splunk 6.0 - &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples"&gt;http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 14 Apr 2014 09:07:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32479#M331</guid>
      <dc:creator>amgoldschmidt</dc:creator>
      <dc:date>2014-04-14T09:07:19Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32480#M332</link>
      <description>&lt;P&gt;refer this &lt;BR /&gt;
&lt;A href="https://answers.splunk.com/answers/35926/email-actions-for-builtin-licensing-alerts.html#3593"&gt;https://answers.splunk.com/answers/35926/email-actions-for-builtin-licensing-alerts.html#3593&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 25 Apr 2017 17:28:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32480#M332</guid>
      <dc:creator>SplunkersRock</dc:creator>
      <dc:date>2017-04-25T17:28:46Z</dc:date>
    </item>
    <item>
      <title>Re: alert on license usage</title>
      <link>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32481#M333</link>
      <description>&lt;P&gt;Try this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal source=*license_usage.log* type=Usage | bucket _time span=1d | stats sum(b) as bytes by _time, pool | eval GB = round(bytes/1024/1024/1024,5) | eval quota=&amp;lt;your license quota here&amp;gt; | eval "% Used"=round(GB/quota*100,2) | rename GB as "License Util"| table "License Util" "% Used"
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 04 Jan 2018 07:36:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32481#M333</guid>
      <dc:creator>dantimola</dc:creator>
      <dc:date>2018-01-04T07:36:41Z</dc:date>
    </item>
  </channel>
</rss>

