Introduction
This is a Windows Service to automatically monitor and disable data indexing for splunk if the total indexed data exceeds the given amount.
Unzip packages1 and packages2 inside LicenceControllerSplunk\packages.
Background
Use this if you want to no longer worry about splunk licence violations.
Using the Code
Basically, it's divided in four parts.
1. Monitor Indexed Data
JobArgs Args = new JobArgs
{
EarliestTime = "@d",
LatestTime = "now"
};
await service.LogOnAsync("username", "password");
var job = await service.Jobs
.CreateAsync("| rest splunk_server=local /services/licenser/pools |
eval usedMB = round(used_bytes/1024/1024,2) | stats sum(usedMB) AS Total | sort - Total",
args: Args, mode: ExecutionMode.Normal);
using (var message = await job.GetSearchResponseMessageAsync
(outputMode: OutputMode.JsonRows))
{
var content = await message.Content.ReadAsStringAsync();
list.Add(content);
}
await service.LogOffAsync();
2. Disable All UDP Input because they are the ones that generate huge amounts of data to index
try
{
await service.LogOnAsync("username", "password");
var collection = service.CreateEntityCollection("data", "inputs", "udp");
await collection.GetAllAsync();
foreach (var entity in collection)
{
dynamic dataInput = entity.Content;
if (dataInput.Disabled == "0")
{
try
{
await entity.SendAsync(HttpMethod.Post, "disable");
}
catch
{
}
}
}
await service.LogOffAsync();
}
catch
{
}
3. Enable All UDP Inputs after midnight (because the total amount of data to index is refreshed)
try
{
await service.LogOnAsync("username", "password");
var collection = service.CreateEntityCollection("data", "inputs", "udp");
await collection.GetAllAsync();
foreach (var entity in collection)
{
dynamic dataInput = entity.Content;
if (dataInput.Disabled == "1")
{
try
{
await entity.SendAsync(HttpMethod.Post, "enable");
}
catch
{
}
}
}
await service.LogOffAsync();
}
catch
{
}
4. The implementation in this case disables all UDP inputs if indexed data is more than 7 GB
SplunkJSON Indexed = new SplunkJSON();
InvestigateIndexedVolume getdata = new InvestigateIndexedVolume();
DisableDataInputUDP disable = new DisableDataInputUDP();
EnableDataInputUDP enable = new EnableDataInputUDP();
List<string> SplunkData = new List<string>();
public async Task SleepAndCheckIndexedData()
{
var now = DateTime.Now;
var tomorrow = now.AddDays(1);
var durationUntilMidnight = tomorrow.Date - now;
int duration = Convert.ToInt32(durationUntilMidnight.TotalMinutes);
SplunkData = await getdata.InquireIndexedVolume();
Indexed = JsonConvert.DeserializeObject<SplunkJSON>(SplunkData[0]);
float MB = float.Parse(Indexed.rows[0][0], CultureInfo.InvariantCulture.NumberFormat);
if (MB > 7168)
{
await disable.DisableDataUDP();
Thread.Sleep(60000*duration);
await enable.EnableDataUDP();
}
Thread.Sleep(3600000);
}
