Splunk Search

How to write a real-time search to alert if daily license usage reaches 70 GB or more?

sumit29
Path Finder

Hi Team

I need your help to write the search on the licence usage. Suppose I have a 100 GB license. My daily licence usage is 60 to 65 GB. I need to write a search to find if daily license usage suddenly reaches 70 GB or more. So, if I can run this search in real-time and license usage reaches 70 GB, it should throw an alert.

Thanks In Advance

DavidHourani
Super Champion

Hello Sumit,

If you go to http(s)://YOURLICENSESERVER:PORT/en-US/manager/search/licenseusage and you click on the little magnifying glass "open in search" under the "Today's License Usage (GB) " panel you will have the search that generates this value. It should look something like:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,3) | eval totalGB=round(total/1024/1024/1024,3) | eval gauge_base=0 | eval gauge_danger=totalGB*0.8 | eval gauge_top=totalGB+0.001 | gauge usedGB gauge_base gauge_danger totalGB gauge_top

From there you can tweak the search to do what you want with it and eventually get to a search that looks like this to answer your question:

| rest splunk_server=local /services/licenser/pools | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id]| stats sum(used_bytes) as used max(quota) as total | eval Usage=(used/total)*100 | where Usage>YourLimitHere

Let me know how that works out for you.

Regards,
David

0 Karma

DavidHourani
Super Champion

hey @sumit29, any updates on this issue ? Did the above help ?

0 Karma

soniquella
Path Finder

This is as far as I got....tested with 30% first and worked:

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"| where '% used' > 80
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...