Splunk Search

How to write a real-time search to alert if daily license usage reaches 70 GB or more?

sumit29
Path Finder

Hi Team

I need your help to write the search on the licence usage. Suppose I have a 100 GB license. My daily licence usage is 60 to 65 GB. I need to write a search to find if daily license usage suddenly reaches 70 GB or more. So, if I can run this search in real-time and license usage reaches 70 GB, it should throw an alert.

Thanks In Advance

DavidHourani
Super Champion

Hello Sumit,

If you go to http(s)://YOURLICENSESERVER:PORT/en-US/manager/search/licenseusage and you click on the little magnifying glass "open in search" under the "Today's License Usage (GB) " panel you will have the search that generates this value. It should look something like:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top

From there you can tweak the search to do what you want with it and eventually get to a search that looks like this to answer your question:

| rest splunk_server=local /services/licenser/pools | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id]| stats sum(used_bytes) as used max(quota) as total | eval Usage=(used/total)*100 | where Usage>YourLimitHere

Let me know how that works out for you.

Regards,
David

0 Karma

DavidHourani
Super Champion

hey @sumit29, any updates on this issue ? Did the above help ?

0 Karma

soniquella
Path Finder

This is as far as I got....tested with 30% first and worked:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"| where '% used' > 80
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...