Deployment setup has a license master where all the instances are connected to master.
Recently, we had a technical issue where one of the indexers lost connection with the license master server which went unnoticed and caused problems.
Is there an internal query to monitor the status and report via email when a license slave is loses connection with the master?
you can run this search on the license master to get an overview of your license slaves:
| rest /services/licenser/slaves | table lable, updated
Based on this search you can setup an alert.
Hope this helps ...
Hi, please mark this as answered if it answers your question...you're not only helping others by marking this as answered, but you will also get some karma as well 😉
I don't believe this is a correct answer. In our testing, we shutoff an indexer which was reporting to our license master. It still showed a current updated time field for the shutoff indexer! Unless of course this is being read incorrectly or this rest call is not for this purpose.
From my observation, it seems the only thing to rely on is the warning_count when it comes to answering this question which may be of some value but doesn't completely answer the poster's question.
Thanks for this feedback! I'm currently not able to test it, but I will do it at some later stage.
Does not work. wrong
| rest /services/licenser/slaves | table label, updated
I run this search as an alert every ten minutes which triggers and sends an email to me if the number of events is equal to zero:
index="internal" source="/opt/splunk/var/log/splunk/licenseusage.log" h="somehost.tlga.uci.edu" | stats count
It is simple and works very well. Just substitute your slave host.