Alerting

Can my license-master still email license alerts if it is in violation

mataharry
Communicator

Here is my problem, I have an enterprise license-master and some scheduled searches triggering email alerts if it records license warnings or violations.
(based on index=_internal source=*license_audit.log* )

But I wonder what will happen when it will be in violation (after reaching 5 warnings), because the search is supposed to be disabled. Will the server silently be locked ?

1 Solution

yannK
Splunk Employee
Splunk Employee

Good concern.

Hopefully, when you are in violation, the search on the _internal index is not disabled, and the scheduling is still running. So the alert email will be sent even if the other indexed cannot be searched.

View solution in original post

0 Karma

BobM
Builder

When you reach 5 license violations, search is disabled. But the _internal index is not blocked for exactly this kind of reason. You need to be able to tell if you are still getting violations and if so where the data is coming from.

0 Karma

yannK
Splunk Employee
Splunk Employee

Good concern.

Hopefully, when you are in violation, the search on the _internal index is not disabled, and the scheduling is still running. So the alert email will be sent even if the other indexed cannot be searched.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...