Alerting

How do I alert on license violations?

Splunk Employee
Splunk Employee

Is there a recommended saved search I can run on the indexer to alert me when the daily indexing volume is approaching the license limit?

1 Solution

Splunk Employee
Splunk Employee

You can try using this search to check your license violations:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0

see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680

View solution in original post

Motivator

You may want to use this query if you issue the search from a search head with several indexers:

index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff>0

And there is more information about licenses here:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Motivator

I just set one up for earliest -2d latest now time bounds and 0 1 * * * cron schedule.

0 Karma

Motivator

Note: this search needs to be run over a two day period, to compare yesterday's results to today's.

Splunk Employee
Splunk Employee

You can try using this search to check your license violations:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0

see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680

View solution in original post

Contributor

none of these answers seem to work in 6.x

0 Karma

SplunkTrust
SplunkTrust

Hi awurster,
the examples provided were for Splunk 4.x and the license_audit.log is deprecated now; see the docs license_audit.log Deprecated. Look at license_usage.log instead of here. http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/WhatSplunklogsaboutitself
Use the license_usage.log or if you're on Splunk 6.2.x use DMC and its pre-build alerts http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole

cheers, MuS