Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an alert to trigger when the license usage of a Splunk Cloud reaches 90%?

anandhalagaras1
Contributor
‎12-06-2019 05:52 AM

Hi Team,

We want to get it notified before we are exceeding our daily limits so that it will be really helpful to configure and alert the requested users so that we can avoid license violation.

Kindly help with a specific search query.

Tags (1)
Reply

woodcock
Esteemed Legend
‎12-06-2019 04:06 PM

You can thank @c.boggs or @cboggs or @cboggs1 OR @cboggs8625 (Christopher Boggs) for this one:

You need to add your own:

| where predicted_volume>=XXX

then save it as an alert and run it every hour over at least the last 7 days.

index="_internal" AND source="*license_usage.log*" AND type="Usage"
| timechart span=1h sum(b) AS volume_b 
| predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24
| addinfo 
| where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d") 
| fields - info*
| eval merged = coalesce(volume_b, prediction) 
| stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far 
| eval volume_so_far=round(volume_so_far/1024/1024/1024,2)
| eval predicted_volume=round(predicted_volume/1024/1024/1024,2)

But seriously, just get a FREE No Enforcement license add-on and forget about it until the salesmen come calling.

0 Karma
Reply

cboggs
Explorer
‎12-06-2019 07:59 PM

Hah! that is all @martin_mueller with only slight tweaks for my own purposes as an alert... I take no credit!

Reply

woodcock
Esteemed Legend
‎12-06-2019 08:13 PM

My notes show that you slacked it at some point. I will credit @martin_mueller from now on. How many splunk logins do you have anyway?

0 Karma
Reply

cboggs
Explorer
‎12-06-2019 08:05 PM

I will add that most license alerts of >90% are useless without some kind of prediction, as once you hit that point it's usually too late unless you shut off the majority of your logging for the rest of the day. That's why I decided to use a search like this, that will notify me earlier in the day that I've got a unusual spike and that at the current rate I'll exceed the license... It's invaluable even if you have a no-enforcement license, to help notify you of errant hosts (or even large groups of hosts) sending more data than usual. Something more efficient could be written to look at events per second averages or something, but this does the job.

Reply

anandhalagaras1
Contributor
‎12-06-2019 06:56 AM

Kindly help on the request.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...