Alerting
Highlighted

Licence expiration date - Alert

Path Finder

Hello,

I would like to create an alert at 90, 30 and 5 days before the expirationte of my enterprise licence.
I've made a lot of search but I didn't find anything related to this subject.

Is it possible to retrieve the expiration date from a search query and use it to create alerts?

Thanks.

Highlighted

Re: Licence expiration date - Alert

Path Finder

I think this is a good start:

| REST /services/licenser/licenses/ 
| eval now=now()
| eval expire_in_days=(expiration_time-now)/86400
| eval expiration_time=strftime(expiration_time, "%Y-%m-%d  %H:%M:%S")
| table group_id expiration_time expire_in_days

That give you the expiration in days, so you just have to setup the alert on expireindays<90, 30 or 5.

Highlighted

Re: Licence expiration date - Alert

SplunkTrust
SplunkTrust

Another option (query from License Usage Report page in license master ), handles multiple pool implementation.

| rest splunk_server=local /services/licenser/messages | where (category=="license_window" OR category=="pool_over_quota") AND create_time >= now() - (30 * 86400) | rename pool_id AS pool | eval warning_day=if(category=="pool_over_quota","(".strftime(create_time,"%B %e, %Y").")",strftime(create_time-43200,"%B %e, %Y")) | fields pool warning_day | join outer pool [rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | eval slave_name=label | eval pool=active_pool_ids | fields pool slave_name | stats values(slave_name) as "members" by pool] | join outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval quotaGB=round(quota/1024/1024/1024,3) | fields pool stack_id, quotaGB] |stats first(pool) as "Pool" first(stack_id) as "Stack ID" first(members) as "Current Members" first(quotaGB) as "Current Quota (GB)" values(warning_day) AS "Warning Days - (Soft)/Hard" by pool | fields - pool
0 Karma
Highlighted

Re: Licence expiration date - Alert

Path Finder

Thanks for informations.

Now I can have an email with the days remaining to the expiration/renew of all licenses.

Can I have the results for a specific pool?
It will avoid to display unnecessary licences informations like the free licence and expired licence (detached to the pool).

0 Karma
Highlighted

Re: Licence expiration date - Alert

Path Finder

I was not able to make somesoni2's search working but it looks like the pool is specified at the end, so you might be able to add a filter at the end to specify your pool.

For my search there is mutliple fields that can be used for that:
try this search:

| REST /services/licenser/licenses/

id  group_id    label   stack_id    type    status
https://127.0.0.1/services/licenser/licenses/0D8FAF9CC8C    Trial   Splunk Enterprise Download Trial    download-trial  download-trial  EXPIRED
https://127.0.0.1/services/licenser/licenses/1AF1CC17539    Enterprise  Splunk Enterprise   enterprise  enterprise  VALID 

group_id or label should be enough for your need.

0 Karma
Highlighted

Re: Licence expiration date - Alert

Splunk Employee
Splunk Employee

If you are using the Distributed Management Console (v6.2 to v6.4) / Monitoring Console (v6.5+) to monitor your Splunk deployment, there is a platform alert (i.e. saved search) that you can enable for “Expired and Soon To Expire Licenses” (with the desired alert action) which will fire when you have licenses that have expired or will expire within two weeks (default setting).

About the Monitoring Console
http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

Platform alerts overview
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts

Enable platform alerts
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Enable_platform_alerts

Which alerts are included?
http://docs.splunk.com/Documentation/Splunk/latest/DMC/Platformalerts#Which_alerts_are_included.3F

0 Karma