- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a real-time search to alert if daily ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a real-time search to alert if daily license usage reaches 70 GB or more?
Hi Team
I need your help to write the search on the licence usage. Suppose I have a 100 GB license. My daily licence usage is 60 to 65 GB. I need to write a search to find if daily license usage suddenly reaches 70 GB or more. So, if I can run this search in real-time and license usage reaches 70 GB, it should throw an alert.
Thanks In Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sumit,
If you go to http(s)://YOURLICENSESERVER:PORT/en-US/manager/search/licenseusage and you click on the little magnifying glass "open in search" under the "Today's License Usage (GB) " panel you will have the search that generates this value. It should look something like:
| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top
From there you can tweak the search to do what you want with it and eventually get to a search that looks like this to answer your question:
| rest splunk_server=local /services/licenser/pools | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id]| stats sum(used_bytes) as used max(quota) as total | eval Usage=(used/total)*100 | where Usage>YourLimitHere
Let me know how that works out for you.
Regards,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @sumit29, any updates on this issue ? Did the above help ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is as far as I got....tested with 30% first and worked:
| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"| where '% used' > 80
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
