Refine your search:

License Violation Prediction

5
1

Hi, just wanted to share my efforts so far regarding an alert for predicting license violations.

I've formulated a search that will look at the license_usage.log and do some math depending on the time of day, in order to predict if there is a risk that there will be a license violation before the end of the day.

However, I've only had a fairly simple installation (1 search head, 2 indexers and only the auto_generated_pool_enterprise) to play with.

The search will set the Violation_Risk to "Yes" if you have more time than license space left at the time the search is run, e.g. if you have used up 53% of your license volume by 12 AM (noon, lunch, whatever you call it), the violation risk is set to "Yes", since you have less than half of the license volume left, but still have half a day (12 hours) to go before the license counter is reset.

index=_internal source="*license_usage.*" earliest=@d |eval GB=round(b/1024/1024/1024,1)| eval LGB=round(poolsz/1024/1024/1024,1)|stats sum(GB) AS GB_Today values(LGB) AS Limit_GB by pool | eval License_Percent_Usage=round(GB_Today/Limit_GB * 100,1) | eval Violation_Risk = if((round((((tonumber(strftime(now(), "%H")) * 60) + tonumber(strftime(now(),"%M"))) / 1440)* 100,1)) < License_Percent_Usage, "Yes", "No")

The output will look something like this.

 pool                               GB_Today  Limit_GB  License_Percent_Usage  Violation_Risk  
 auto_generated_pool_enterprise     4.0       20.0      20.0                   No

You can/should set a scheduled search to run this query... say every hour, with the Custom Condition Search set to

search Violation_Risk = Yes OR License_Percent_Usage > 90

This will also give you an alert if the usage exceeds some value of your choice, in this case 90, regardless of how much time is left before midnight.

Feel free to suggest improvements - especially if you have a more complicated setup license wise (stacks, pools, whatnot).

Notes:

  • The algorithm is admittedly a bit crude, since it assumes an even usage over time.
  • Does anybody know from where Manager -> Licensing gets its usage values? It is a lot quicker than performing the search through the license_usage.log

Hope anyone finds this useful.

Kristian

asked 03 Feb, 04:28

kristian.kolb's gravatar image

kristian.kolb
3.4k210
accept rate: 30%

I'm guessing it gets its values from the licensing REST endpoints (http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlicense ).

(03 Feb, 04:41) Ayn
Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×47
×42
×7

Asked: 03 Feb, 04:28

Seen: 241 times

Last updated: 03 Feb, 04:41

Related questions

Can I email a licensing alert before it becomes a violation

License violation alert giving false positives

Why did a license slave indexer receive a license violation when the indexing volume is still less than the license volume limit.

License Violation - "pool_violated_slave_count"

License violation on forwarders?

search disabled because of license violation. How to enable them back after importing the new license?

What happens with tracked alerts during license violation period?

License violation message

Copyright © 2005-2012 Splunk, Inc. All rights reserved.