Alerting

How to create an alert to trigger when the license usage of a heavy forwarder reaches 90%?

kiran_mh
Explorer

Hi...I wanted to know how we can create an alert when the license usage of a "heavy forwarder" reaches a threshold say about 90% of license usage. We want to get alerted when such a thing occurs. Currently I have the following search:

index =_internal source = *license_usage.log* type = Usage earliest=-7d@d latest=now | search h=ftlpsplunkfwd01.citrite.net | eval MB=b/(1024*1024)  | eval date=strftime(_time, "%1m/%0d/%Y") | stats sum(MB) as Usage(MB) by date
0 Karma

javiergn
Super Champion

Maybe something like this:

index=_internal source=*license_usage.log type=Usage earliest=-7d@d latest=now
| search h=ftlpsplunkfwd01.citrite.net
| eval MB=b/(1024*1024) 
| eval date=strftime(_time, "%1m/%0d/%Y") 
| stats sum(MB) as Usage(MB) by date
| appendcols [ 
   | rest splunk_server=local /services/licenser/stacks 
   | stats max(quota) as license_limit
   | eval license_limitMB = license_limit/1024/1024
   | fields license_limitMB
]
| eventstats max(license_limitMB) as license_limitMB
| eval license_usage = round('Usage(MB)'/license_limitMB*100, 2) 
| where license_usage > 90
0 Karma

kiran_mh
Explorer

I tried running the query but didn't get any statistics..!

0 Karma

somesoni2
Revered Legend

Not getting a result could be good thing. The denotes that your HF is not exceeding the 90% of total license usage. TO double check the values, just remove the last line and validate the results.

0 Karma

SamHTexas
Builder

Sir, is there a way (SPL) to be notified when data sent by a HF changes / degrades to for example 15-20 % of the daily sent amount ? Thank u very much.

Tags (1)
0 Karma

javiergn
Super Champion

Keep in mind the last line is filtering where license usage > 90% so try tweaking that.
If that doesn't give you any result, try removing the second line (search h=...) and the earliest and latest filters.

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...