Installation

How to get curl command to check license expiration time?

New Member

Hi
I am new to Splunk and have a few Dev-Test instances running with the 6 month expiry. I would like to check the expiry using Nagios. All I really need is a curl command to search Splunk for the expiration_time field under licenses and I can let Nagios do the rest.
Any guidance on where to start?

thnx
Paraic

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.

| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

To show only the licenses about to expire, modify the search a little.

| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.

If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.

curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust
0 Karma

SplunkTrust
SplunkTrust

Why use Nagios to monitor Splunk when Splunk can monitor itself? The following search will show your licenses and expiration dates. If you have a separate license master, run the search there.

| rest /services/licenser/licenses | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

To show only the licenses about to expire, modify the search a little.

| rest /services/licenser/licenses | where expiration_time<relative_time(now(),"+6mon") | table label expiration_time | fieldformat expiration_time=strftime(expiration_time,"%Y-%m-%d %H:%M:%S")

Save this as a scheduled search to run every day and trigger an alert if the number of results is not zero.

If you really want to use curl, try something like this. The response will contain everything you'd want to know about all of your licenses. It'll be up to you to parse it out.

curl -k -u admin:changeme https://localhost:8089//services/licenser/licenses
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

OK, figured it out.
I was using http instead of https. Our main Search head uses http but the mPort uses https.
got the XML file which I can parse now.

0 Karma

New Member

I'm getting a 404 on that URL.
I would rather not use Splunk as we funnel everything through Nagios and we have solid processes for managing all alerts.

0 Karma

New Member

figured out the 404 - I was pointing at the main URL, not the mPort. Tried again on the mPort and got:
curl: (56) Recv failure: Connection reset by peer
Do I need to enable something in Splunk to use that port?

0 Karma

Super Champion

hi,
Yes its possible. Something like below. Ensure you are running against the "License manager"

curl -k -u admin:changeme https://<host>:<mPort>/services/licenser/licenses

REST command in Splunk which you can filter more granular

| rest /services/licenser/licenses splunk_server=<license_master>| table group_id,type,quota,license_hash,status,expiration_time
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!