https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9419#M6 <P>Note: this search needs to be run over a two day period, to compare yesterday's results to today's.</P> Tue, 15 Feb 2011 23:53:52 GMT Jason 2011-02-15T23:53:52Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9416#M3 <P>Is there a recommended saved search I can run on the indexer to alert me when the daily indexing volume is approaching the license limit?</P> Fri, 22 Jan 2010 09:07:39 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9416#M3 matt 2010-01-22T09:07:39Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9417#M4 <P>You can try using this search to check your license violations:</P> <PRE><CODE>index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff&lt;0 </CODE></PRE> <P>see this forum thread: <A href="http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680" rel="nofollow">http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680</A></P> Tue, 26 Jan 2010 07:48:28 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9417#M4 benstraw 2010-01-26T07:48:28Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9418#M5 <P>You may want to use this query if you issue the search from a search head with several indexers:</P> <PRE><CODE>index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff&gt;0 </CODE></PRE> <P>And there is more information about licenses here:</P> <P><A href="http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume" rel="nofollow">http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume</A></P> Fri, 10 Sep 2010 19:54:29 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9418#M5 chris 2010-09-10T19:54:29Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9419#M6 <P>Note: this search needs to be run over a two day period, to compare yesterday's results to today's.</P> Tue, 15 Feb 2011 23:53:52 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9419#M6 Jason 2011-02-15T23:53:52Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9420#M7 <P>I just set one up for earliest <CODE>-2d</CODE> latest <CODE>now</CODE> time bounds and <CODE>0 1 * * *</CODE> cron schedule.</P> Tue, 15 Feb 2011 23:54:59 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9420#M7 Jason 2011-02-15T23:54:59Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9421#M8 <P>none of these answers seem to work in 6.x</P> Mon, 06 Jul 2015 02:10:39 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9421#M8 awurster 2015-07-06T02:10:39Z https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9422#M9 <P>Hi awurster,<BR /> the examples provided were for Splunk 4.x and the <CODE>license_audit.log</CODE> is deprecated now; see the docs <CODE>license_audit.log Deprecated. Look at license_usage.log instead of here.</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/WhatSplunklogsaboutitself">http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/WhatSplunklogsaboutitself</A> <BR /> Use the <CODE>license_usage.log</CODE> or if you're on Splunk 6.2.x use <CODE>DMC</CODE> and its pre-build alerts <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole">http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole</A></P> <P>cheers, MuS</P> Mon, 06 Jul 2015 02:18:00 GMT https://community.splunk.com/t5/Alerting/How-do-I-alert-on-license-violations/m-p/9422#M9 MuS 2015-07-06T02:18:00Z