Refine your search:

How do I alert on license violations?

6
1

Is there a recommended saved search I can run on the indexer to alert me when the daily indexing volume is approaching the license limit?

asked 22 Jan '10, 01:07

matt's gravatar image

matt ♦♦
2.9k1322
accept rate: 82%

2 Answers:
oldestnewestmost voted
4

You can try using this search to check your license violations:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0

see this forum thread: http://www.splunk.com/support/forum:SplunkSearchAndAlert/3680

link

answered 25 Jan '10, 23:48

benstraw's gravatar image

benstraw
675212
accept rate: 80%

edited 20 Apr '11, 09:09

hexx's gravatar image

hexx ♦
7.0k1834
4

You may want to use this query if you issue the search from a search head with several indexers:

index=_internal source=*license_audit.log LicenseManager-Audit | streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host | eval quotadiff = next_quotaExceededCount - quotaExceededCount | search quotadiff>0

And there is more information about licenses here:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

link

answered 10 Sep '10, 12:54

chris's gravatar image

chris
1.1k19
accept rate: 48%

1

Note: this search needs to be run over a two day period, to compare yesterday's results to today's.

(15 Feb '11, 15:53) Jason

I just set one up for earliest -2d latest now time bounds and 0 1 * * * cron schedule.

(15 Feb '11, 15:54) Jason
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×343
×340
×38

Asked: 22 Jan '10, 01:07

Seen: 1,741 times

Last updated: 20 Apr '11, 09:09

Related questions

What happens with tracked alerts during license violation period?

Index volume: hourly increase and raw volume

How does licensing work?

How do I clear out my violations listed in the UI under Manager >> License ?

How do I determine my indexing volume by host, source, or sourcetype?

Does index=_internal count against peak usage license?

What happens when I exceed my licensed limit?

Output of "list licenser-messages"

Can I inject events into Splunk via a script?

How do I alert when a host stops sending data?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.