Splunk Search

How to write a real-time search to alert if daily license usage reaches 70 GB or more?

sumit29
Path Finder

Hi Team

I need your help to write the search on the licence usage. Suppose I have a 100 GB license. My daily licence usage is 60 to 65 GB. I need to write a search to find if daily license usage suddenly reaches 70 GB or more. So, if I can run this search in real-time and license usage reaches 70 GB, it should throw an alert.

Thanks In Advance

DavidHourani
Super Champion

Hello Sumit,

If you go to http(s)://YOURLICENSESERVER:PORT/en-US/manager/search/licenseusage and you click on the little magnifying glass "open in search" under the "Today's License Usage (GB) " panel you will have the search that generates this value. It should look something like:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top

From there you can tweak the search to do what you want with it and eventually get to a search that looks like this to answer your question:

| rest splunk_server=local /services/licenser/pools | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id]| stats sum(used_bytes) as used max(quota) as total | eval Usage=(used/total)*100 | where Usage>YourLimitHere

Let me know how that works out for you.

Regards,
David

0 Karma

DavidHourani
Super Champion

hey @sumit29, any updates on this issue ? Did the above help ?

0 Karma

soniquella
Path Finder

This is as far as I got....tested with 30% first and worked:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"| where '% used' > 80
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...