Deployment Architecture

Splunk Cloud Built-in License Alert broken

michael_bates_1
Path Finder

I am working on a Splunk Cloud deployment and have attempted to enable the built-in (splunk_instance_monitoring) alerts for license violations.

I have stripped away the bulk of the alert search to locate the broken component and it at the very front

| rest splunk_server_group=sim_group_license_master /services/licenser/pools

It appears that there is no such group as sim_group_license_master or at the least, it returns no data.

I have also attempted the License Monitor app off splunkbase and this uses the same rest endpoint.

How do I get this alert to work.
And no, I am aware of searching the _internal for license events, the problem is Splunk have provided broken functionality.

Any help appreciated.

0 Karma

ytenenbaum_splu
Splunk Employee
Splunk Employee

These alerts are now removed in version 7.0.1 which will be released in the future

0 Karma

woodcock
Esteemed Legend

Open a support case; this is clearly a bug.

0 Karma

ytenenbaum_splu
Splunk Employee
Splunk Employee

The /services/licenser/pools API endpoint is there in order to access the licenser pools configuration and in Splunk Cloud we do not support license pools as described here: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Service/SplunkCloudservice (" License pooling: You cannot use license pooling in Splunk Cloud").
To alert on license usage in Splunk Cloud use index=_internal source=license_usage.log type="RolloverSummary" etc...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...