Alerting

alert on license usage

mcbradford
Contributor

I need to create an email alert when at a specified period in the day, if our license usage is > #, send an email.

So for example if at 14:00 license usage > 9000, alert

I am using the following search to get my usage.

index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | fields used

Also how do I remove the decimals?

Tags (1)
0 Karma

dantimola
Communicator

Try this:

index=_internal source=*license_usage.log* type=Usage | bucket _time span=1d | stats sum(b) as bytes by _time, pool | eval GB = round(bytes/1024/1024/1024,5) | eval quota=<your license quota here> | eval "% Used"=round(GB/quota*100,2) | rename GB as "License Util"| table "License Util" "% Used"

SplunkersRock
Path Finder
0 Karma

amgoldschmidt
Explorer

Damien_Dallimor
Ultra Champion
0 Karma

mcbradford
Contributor

I think I figured it out....

This is my search...

index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB_Used_Today=round(used, 0) | fields GB_Used_Today

my custom condition is

search GB_Used_Today > 5

I plan to create and schedule probably about 4 searches throughout the day with the value "search GB_Used_Today > 5" "5" set to something different based on the time the search is run.

My goal is to identify a spike (and possible stop the spike) before it causes a license violation.

lguinn2
Legend

I did it this way:

index=_internal sourcetype=license_usage* earliest=@d | eval GB=round(b/1024/1024,0) | 
stats sum(GB) as used by pool

Not sure which version of Splunk you are using. I did this on 4.2.3

BTW, the fields command would remove the label for the pools, which would not be good if you had multiple license pools. You might also consider adding | addcoltotals to the end of command line.

mcbradford
Contributor

This returned no results?

This is what I am using to round

index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB Used Today=round(used, 0) | fields "GB Used Today"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...