Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License Master - Is there an internal query or alert to monitor the status and report when a license slave loses connection with the master for more than 1 hour?

splunker12er
Motivator
‎01-05-2015 06:43 PM

Deployment setup has a license master where all the instances are connected to master.

Recently, we had a technical issue where one of the indexers lost connection with the license master server which went unnoticed and caused problems.

Is there an internal query to monitor the status and report via email when a license slave is loses connection with the master?

0 Karma
Reply

wrangler2x
Motivator
‎01-21-2016 02:32 PM

I run this search as an alert every ten minutes which triggers and sends an email to me if the number of events is equal to zero:

index="_internal" source="/opt/splunk/var/log/splunk/license_usage.log" h="somehost.tlga.uci.edu" | stats count

It is simple and works very well. Just substitute your slave host.

0 Karma
Reply

MuS
Legend
‎01-06-2015 12:01 AM

Hi splunker12er,

you can run this search on the license master to get an overview of your license slaves:

| rest /services/licenser/slaves | table lable, updated

Based on this search you can setup an alert.
Hope this helps ...

cheers, MuS

Reply

lakromani
Builder
‎06-04-2019 12:51 AM

Does not work. wrong lable, correct label.

| rest /services/licenser/slaves | table label, updated
0 Karma
Reply

MuS
Legend
‎01-07-2015 12:33 AM

Hi, please mark this as answered if it answers your question...you're not only helping others by marking this as answered, but you will also get some karma as well 😉

0 Karma
Reply

vcarbona
Path Finder
‎01-21-2016 12:11 PM

I don't believe this is a correct answer. In our testing, we shutoff an indexer which was reporting to our license master. It still showed a current updated time field for the shutoff indexer! Unless of course this is being read incorrectly or this rest call is not for this purpose.

From my observation, it seems the only thing to rely on is the warning_count when it comes to answering this question which may be of some value but doesn't completely answer the poster's question.

0 Karma
Reply

MuS
Legend
‎01-21-2016 01:09 PM

Thanks for this feedback! I'm currently not able to test it, but I will do it at some later stage.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...