I am working on a Splunk Cloud deployment and have attempted to enable the built-in (splunkinstancemonitoring) alerts for license violations.
I have stripped away the bulk of the alert search to locate the broken component and it at the very front
| rest splunkservergroup=simgrouplicense_master /services/licenser/pools
It appears that there is no such group as simgrouplicense_master or at the least, it returns no data.
I have also attempted the License Monitor app off splunkbase and this uses the same rest endpoint.
How do I get this alert to work.
And no, I am aware of searching the _internal for license events, the problem is Splunk have provided broken functionality.
Any help appreciated.
The /services/licenser/pools API endpoint is there in order to access the licenser pools configuration and in Splunk Cloud we do not support license pools as described here: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Service/SplunkCloudservice (" License pooling: You cannot use license pooling in Splunk Cloud").
To alert on license usage in Splunk Cloud use index=internal source=*licenseusage.log* type="RolloverSummary" etc...