Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Automate Splunk Licence Monitoring

0.00/5 (No votes)
13 Jul 2016 1  
Creating a Windows service to monitor Splunk licence usage using splunk SDK

Introduction

This is a Windows Service to automatically monitor and disable data indexing for splunk if the total indexed data exceeds the given amount.

Unzip packages1 and packages2 inside LicenceControllerSplunk\packages.

Background

Use this if you want to no longer worry about splunk licence violations.

Using the Code

Basically, it's divided in four parts.

1. Monitor Indexed Data

JobArgs Args = new JobArgs
      {
          EarliestTime = "@d",
          LatestTime = "now"
      };

      await service.LogOnAsync("username", "password");

      var job = await service.Jobs
          .CreateAsync("| rest splunk_server=local /services/licenser/pools |
          eval usedMB = round(used_bytes/1024/1024,2) | stats sum(usedMB) AS Total | sort - Total",
          args: Args, mode: ExecutionMode.Normal);

      using (var message = await job.GetSearchResponseMessageAsync
            (outputMode: OutputMode.JsonRows))
      {
          var content = await message.Content.ReadAsStringAsync();
          list.Add(content);
      }
      await service.LogOffAsync();

2. Disable All UDP Input because they are the ones that generate huge amounts of data to index

try
          {
              await service.LogOnAsync("username", "password");

              var collection = service.CreateEntityCollection("data", "inputs", "udp");
              await collection.GetAllAsync();


              foreach (var entity in collection)
              {
                  dynamic dataInput = entity.Content;

                  if (dataInput.Disabled == "0")
                  {
                      try
                      {
                          await entity.SendAsync(HttpMethod.Post, "disable");
                      }
                      catch
                      {
                      }
                  }
              }
              await service.LogOffAsync();
          }
          catch
          {
          }

3. Enable All UDP Inputs after midnight (because the total amount of data to index is refreshed)

try
           {
               await service.LogOnAsync("username", "password");

               var collection = service.CreateEntityCollection("data", "inputs", "udp");
               await collection.GetAllAsync();


               foreach (var entity in collection)
               {
                   dynamic dataInput = entity.Content;

                   if (dataInput.Disabled == "1")
                   {
                       try
                       {
                           await entity.SendAsync(HttpMethod.Post, "enable");
                       }
                       catch
                       {
                       }
                   }
               }
               await service.LogOffAsync();
           }
           catch
           {
           }

4. The implementation in this case disables all UDP inputs if indexed data is more than 7 GB

SplunkJSON Indexed = new SplunkJSON();
        InvestigateIndexedVolume getdata = new InvestigateIndexedVolume();
        DisableDataInputUDP disable = new DisableDataInputUDP();
        EnableDataInputUDP enable = new EnableDataInputUDP();
        List<string> SplunkData = new List<string>();

 public async Task SleepAndCheckIndexedData()
        {
            var now = DateTime.Now;
            var tomorrow = now.AddDays(1);
            var durationUntilMidnight = tomorrow.Date - now;
            int duration = Convert.ToInt32(durationUntilMidnight.TotalMinutes);
            SplunkData = await getdata.InquireIndexedVolume();
            Indexed = JsonConvert.DeserializeObject<SplunkJSON>(SplunkData[0]);

            float MB = float.Parse(Indexed.rows[0][0], CultureInfo.InvariantCulture.NumberFormat);

            if (MB > 7168)
            {               
                    await disable.DisableDataUDP();
                    Thread.Sleep(60000*duration);
                    await enable.EnableDataUDP();
            }

            Thread.Sleep(3600000);
        } 

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here