Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

sarwshai — Tue, 09 Jan 2018 15:49:13 GMT

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

JDukeSplunk — Tue, 09 Jan 2018 19:18:15 GMT

I don't know if this will answer your question directly, but I made a custom dashboard to divvy up my usage so that I can narrow down what index or sourcetype is a problem. I can then search by that sourcetype and see who the offending host might be.

That said, paste this into a new dashboard "source" edit.

<form>
  <label>Splunk License Usage</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="dashboard_time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-2d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Usage by Day</title>
        <search>
          <query>index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
| eval GB=b/1024/1024/1024
| timechart span=1d@d sum(GB) as Gigabytes</query>
          <earliest>$dashboard_time.earliest$</earliest>
          <latest>$dashboard_time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">600</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Usage by Index</title>
        <search>
          <query>index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
| eval GB=b/1024/1024/1024 | timechart span=1d eval(round(sum(GB),2)) as Gigabytes by idx useother=f limit=15</query>
          <earliest>$dashboard_time.earliest$</earliest>
          <latest>$dashboard_time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">GB</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">600</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Usage by Sourcetype</title>
        <search>
          <query>index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
| eval GB=b/1024/1024/1024 | timechart span=1d eval(round(sum(GB),2)) as Gigabytes by st useother=f limit=15</query>
          <earliest>$dashboard_time.earliest$</earliest>
          <latest>$dashboard_time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Date</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">GB</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">600</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Todays Usage, Hour</title>
        <search>
          <query>index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
| eval GB=b/1024/1024/1024 | timechart span=1h eval(round(sum(GB),2)) as Gigabytes by st useother=f limit=15</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">600</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Todays Daily Usage Alarm</title>
        <search>
          <query>index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
| eval GB=b/1024/1024/1024 | stats sum(GB)</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">[0,70,85,90]</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">400</option>
      </chart>
    </panel>
  </row>
</form>

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

sarwshai — Wed, 10 Jan 2018 07:54:11 GMT

Thanks it's very helpful, but i want usage by hosts too, i'll see that try to do it on my own.
But precisely wanted an alert where for e.g. my license of 100 GB exceeds and i get an violation alert along with top 10-15 consumers by host.
Thanks any way!

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

sarwshai — Sat, 10 Feb 2018 10:50:56 GMT

After rigorously finding any help, created separate alert where if there is violation of license send me an alert along with top 10 consumers of license.

If anybody wants to know let me know about it.

topic Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible? in Splunk Search

Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?

Re: Have an alert where there is violation of license and a search where top 10 consumers of license, how do i combine both , where if there is a violation of license send me alert with top consumers? Is it possible?