Installation

How to get curl command to check license expiration time?

paraic
New Member

Hi
I am new to Splunk and have a few Dev-Test instances running with the 6 month expiry. I would like to check the expiry using Nagios. All I really need is a curl command to search Splunk for the expiration_time field under licenses and I can let Nagios do the rest.
Any guidance on where to start?

thnx
Paraic

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.

| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

To show only the licenses about to expire, modify the search a little.

| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.

If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.

curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

somesoni2
Revered Legend
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.

| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

To show only the licenses about to expire, modify the search a little.

| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.

If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.

curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
---
If this reply helps you, an upvote would be appreciated.
0 Karma

paraic
New Member

OK, figured it out.
I was using http instead of https. Our main Search head uses http but the mPort uses https.
got the XML file which I can parse now.

0 Karma

paraic
New Member

I'm getting a 404 on that URL.
I would rather not use Splunk as we funnel everything through Nagios and we have solid processes for managing all alerts.

0 Karma

paraic
New Member

figured out the 404 - I was pointing at the main URL, not the mPort. Tried again on the mPort and got:
curl: (56) Recv failure: Connection reset by peer
Do I need to enable something in Splunk to use that port?

0 Karma

koshyk
Super Champion

hi,
Yes its possible. Something like below. Ensure you are running against the "License manager"

curl -k -u admin:changeme https://<host>:<mPort>/services/licenser/licenses

REST command in Splunk which you can filter more granular

| rest /services/licenser/licenses splunk_server=<license_master>| table group_id,type,quota,license_hash,status,expiration_time
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...