I am working on a Splunk Cloud deployment and have attempted to enable the built-in (splunk_instance_monitoring) alerts for license violations.
I have stripped away the bulk of the alert search to locate the broken component and it at the very front
| rest splunk_server_group=sim_group_license_master /services/licenser/pools
It appears that there is no such group as sim_group_license_master or at the least, it returns no data.
I have also attempted the License Monitor app off splunkbase and this uses the same rest endpoint.
How do I get this alert to work.
And no, I am aware of searching the _internal for license events, the problem is Splunk have provided broken functionality.
Any help appreciated.
These alerts are now removed in version 7.0.1 which will be released in the future
Open a support case; this is clearly a bug.
The /services/licenser/pools API endpoint is there in order to access the licenser pools configuration and in Splunk Cloud we do not support license pools as described here: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Service/SplunkCloudservice (" License pooling: You cannot use license pooling in Splunk Cloud").
To alert on license usage in Splunk Cloud use index=_internal source=license_usage.log type="RolloverSummary" etc...