Hi
I am new to Splunk and have a few Dev-Test instances running with the 6 month expiry. I would like to check the expiry using Nagios. All I really need is a curl command to search Splunk for the expiration_time field under licenses and I can let Nagios do the rest.
Any guidance on where to start?
thnx
Paraic
Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.
| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")
To show only the licenses about to expire, modify the search a little.
| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")
Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.
If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.
curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.
| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")
To show only the licenses about to expire, modify the search a little.
| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")
Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.
If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.
curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
OK, figured it out.
I was using http instead of https. Our main Search head uses http but the mPort uses https.
got the XML file which I can parse now.
I'm getting a 404 on that URL.
I would rather not use Splunk as we funnel everything through Nagios and we have solid processes for managing all alerts.
figured out the 404 - I was pointing at the main URL, not the mPort. Tried again on the mPort and got:
curl: (56) Recv failure: Connection reset by peer
Do I need to enable something in Splunk to use that port?
hi,
Yes its possible. Something like below. Ensure you are running against the "License manager"
curl -k -u admin:changeme https://<host>:<mPort>/services/licenser/licenses
REST command in Splunk which you can filter more granular
| rest /services/licenser/licenses splunk_server=<license_master>| table group_id,type,quota,license_hash,status,expiration_time