I would like to create an alert at 90, 30 and 5 days before the expirationte of my enterprise licence.
I've made a lot of search but I didn't find anything related to this subject.
Is it possible to retrieve the expiration date from a search query and use it to create alerts?
I think this is a good start:
| REST /services/licenser/licenses/ | eval now=now() | eval expire_in_days=(expiration_time-now)/86400 | eval expiration_time=strftime(expiration_time, "%Y-%m-%d %H:%M:%S") | table group_id expiration_time expire_in_days
That give you the expiration in days, so you just have to setup the alert on expireindays<90, 30 or 5.
Another option (query from License Usage Report page in license master ), handles multiple pool implementation.
| rest splunk_server=local /services/licenser/messages | where (category=="license_window" OR category=="pool_over_quota") AND create_time >= now() - (30 * 86400) | rename pool_id AS pool | eval warning_day=if(category=="pool_over_quota","(".strftime(create_time,"%B %e, %Y").")",strftime(create_time-43200,"%B %e, %Y")) | fields pool warning_day | join outer pool [rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | eval slave_name=label | eval pool=active_pool_ids | fields pool slave_name | stats values(slave_name) as "members" by pool] | join outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval quotaGB=round(quota/1024/1024/1024,3) | fields pool stack_id, quotaGB] |stats first(pool) as "Pool" first(stack_id) as "Stack ID" first(members) as "Current Members" first(quotaGB) as "Current Quota (GB)" values(warning_day) AS "Warning Days - (Soft)/Hard" by pool | fields - pool
Thanks for informations.
Now I can have an email with the days remaining to the expiration/renew of all licenses.
Can I have the results for a specific pool?
It will avoid to display unnecessary licences informations like the free licence and expired licence (detached to the pool).
I was not able to make somesoni2's search working but it looks like the pool is specified at the end, so you might be able to add a filter at the end to specify your pool.
For my search there is mutliple fields that can be used for that:
try this search:
| REST /services/licenser/licenses/ id group_id label stack_id type status https://127.0.0.1/services/licenser/licenses/0D8FAF9CC8C Trial Splunk Enterprise Download Trial download-trial download-trial EXPIRED https://127.0.0.1/services/licenser/licenses/1AF1CC17539 Enterprise Splunk Enterprise enterprise enterprise VALID
group_id or label should be enough for your need.
If you are using the Distributed Management Console (v6.2 to v6.4) / Monitoring Console (v6.5+) to monitor your Splunk deployment, there is a platform alert (i.e. saved search) that you can enable for “Expired and Soon To Expire Licenses” (with the desired alert action) which will fire when you have licenses that have expired or will expire within two weeks (default setting).
About the Monitoring Console
Platform alerts overview
Enable platform alerts
Which alerts are included?