Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Licence expiration date - Alert

Gilgalidd
Path Finder
‎12-16-2014 06:55 AM

Hello,

I would like to create an alert at 90, 30 and 5 days before the expirationte of my enterprise licence.
I've made a lot of search but I didn't find anything related to this subject.

Is it possible to retrieve the expiration date from a search query and use it to create alerts?

Thanks.

Reply

llee_splunk
Splunk Employee
Splunk Employee
‎05-03-2017 12:33 PM

If you are using the Distributed Management Console (v6.2 to v6.4) / Monitoring Console (v6.5+) to monitor your Splunk deployment, there is a platform alert (i.e. saved search) that you can enable for “Expired and Soon To Expire Licenses” (with the desired alert action) which will fire when you have licenses that have expired or will expire within two weeks (default setting).

About the Monitoring Console
http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

Platform alerts overview
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts

Enable platform alerts
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Enable_platform_alerts

Which alerts are included?
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Which_alerts_are_included.3F

0 Karma
Reply

Gilgalidd
Path Finder
‎02-02-2015 05:34 AM

Thanks for informations.

Now I can have an email with the days remaining to the expiration/renew of all licenses.

Can I have the results for a specific pool?
It will avoid to display unnecessary licences informations like the free licence and expired licence (detached to the pool).

0 Karma
Reply

bgaignon
Path Finder
‎02-02-2015 08:06 AM

I was not able to make somesoni2's search working but it looks like the pool is specified at the end, so you might be able to add a filter at the end to specify your pool.

For my search there is mutliple fields that can be used for that:
try this search: 

| REST /services/licenser/licenses/

id  group_id    label   stack_id    type    status
https://127.0.0.1/services/licenser/licenses/0D8FAF9CC8C    Trial   Splunk Enterprise Download Trial    download-trial  download-trial  EXPIRED
https://127.0.0.1/services/licenser/licenses/1AF1CC17539    Enterprise  Splunk Enterprise   enterprise  enterprise  VALID

group_id or label should be enough for your need.

0 Karma
Reply

somesoni2
Revered Legend
‎01-27-2015 07:10 AM

Another option (query from License Usage Report page in license master ), handles multiple pool implementation.

| rest splunk_server=local /services/licenser/messages | where (category=="license_window" OR category=="pool_over_quota") AND create_time >= now() - (30 * 86400) | rename pool_id AS pool | eval warning_day=if(category=="pool_over_quota","(".strftime(create_time,"%B %e, %Y").")",strftime(create_time-43200,"%B %e, %Y")) | fields pool warning_day | join outer pool [rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | eval slave_name=label | eval pool=active_pool_ids | fields pool slave_name | stats values(slave_name) as "members" by pool] | join outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval quotaGB=round(quota/1024/1024/1024,3) | fields pool stack_id, quotaGB] |stats first(pool) as "Pool" first(stack_id) as "Stack ID" first(members) as "Current Members" first(quotaGB) as "Current Quota (GB)" values(warning_day) AS "Warning Days - (Soft)/Hard" by pool | fields - pool
Reply

bgaignon
Path Finder
‎01-27-2015 06:44 AM

I think this is a good start:

| REST /services/licenser/licenses/ 
| eval now=now()
| eval expire_in_days=(expiration_time-now)/86400
| eval expiration_time=strftime(expiration_time, "%Y-%m-%d  %H:%M:%S")
| table group_id expiration_time expire_in_days

That give you the expiration in days, so you just have to setup the alert on expire_in_days<90, 30 or 5.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...