<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to send a notification when the my iindexer process through a certain amount of forwarded data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14509#M1496</link>
    <description>&lt;P&gt;I don't understand.  Why is my &lt;/P&gt;

&lt;P&gt;_internal = 3263.3 M &lt;BR /&gt;
main      = 2022.4599 M&lt;/P&gt;

&lt;P&gt;Aren't licenses based off of the "main" indexer?  If so, shouldn't I be trying to total up the main indexer instead of the "_internal"?  &lt;/P&gt;

&lt;P&gt;(fwiw - trying to run the aforementioned query with the main indexer does not work, and the main indexer is extremely slow when trying to look through everything)&lt;/P&gt;

&lt;P&gt;Please advise. &lt;/P&gt;

&lt;P&gt;Thanks!&lt;BR /&gt;
    Sean&lt;/P&gt;</description>
    <pubDate>Tue, 08 Jun 2010 02:38:35 GMT</pubDate>
    <dc:creator>seanlon11</dc:creator>
    <dc:date>2010-06-08T02:38:35Z</dc:date>
    <item>
      <title>How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14501#M1488</link>
      <description>&lt;P&gt;I want a search that will tell me the total throughput of my indexing server, and then setup a notification if that total amount is more than 1 Gigabyte of data. &lt;/P&gt;

&lt;P&gt;Any suggestions? &lt;/P&gt;

&lt;P&gt;Thanks, 
    Sean &lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 01:29:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14501#M1488</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-05-29T01:29:15Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14502#M1489</link>
      <description>&lt;P&gt;To calculate the indexing volume for the day use:&lt;/P&gt;

&lt;P&gt;index=_internal group=per_index_thruput earliest=@d | stats sum(kb) as KB_indexed &lt;/P&gt;

&lt;P&gt;Then schedule this search with the custom criteria: "where KB_indexed &amp;gt; 1000000 | stats count | where count &amp;gt; 0"&lt;/P&gt;

&lt;P&gt;This will alert you whenever the volume is more than 1GB for the day.&lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 02:57:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14502#M1489</guid>
      <dc:creator>Stephen_Sorkin</dc:creator>
      <dc:date>2010-05-29T02:57:36Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14503#M1490</link>
      <description>&lt;P&gt;Thanks for the help.  The query appears to work as expected, but when I try to add the custom criteria you provided above, I receive the following Error: &lt;/P&gt;

&lt;P&gt;Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'count' is unknown. You might not have permission to run this operation.&lt;/P&gt;

&lt;P&gt;What I have as my Customer Criteria: &lt;/P&gt;

&lt;P&gt;where KB_indexed &amp;gt; 1000000 | stats count | count &amp;gt; 0&lt;/P&gt;

&lt;P&gt;Any ideas what steps are needed to correct the error above? &lt;/P&gt;

&lt;P&gt;Thanks, &lt;BR /&gt;
    Sean&lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 03:05:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14503#M1490</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-05-29T03:05:42Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14504#M1491</link>
      <description>&lt;P&gt;Try  &lt;CODE&gt;where KB_indexed &amp;gt; 1000000 | stats count | search count &amp;gt; 0&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 03:29:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14504#M1491</guid>
      <dc:creator>Lowell</dc:creator>
      <dc:date>2010-05-29T03:29:04Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14505#M1492</link>
      <description>&lt;P&gt;Thanks for the help Lowell, but I am running into a similar issue: &lt;/P&gt;

&lt;P&gt;Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'kb' is unknown. You might not have permission to run this operation.&lt;/P&gt;

&lt;P&gt;Why does it not recognize the "kb" from the original search? &lt;/P&gt;

&lt;P&gt;Thanks, &lt;BR /&gt;
    Sean&lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 04:18:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14505#M1492</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-05-29T04:18:15Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14506#M1493</link>
      <description>&lt;P&gt;Sean, what is the exact custom criteria that you're trying?&lt;/P&gt;</description>
      <pubDate>Sat, 29 May 2010 05:16:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14506#M1493</guid>
      <dc:creator>Stephen_Sorkin</dc:creator>
      <dc:date>2010-05-29T05:16:41Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14507#M1494</link>
      <description>&lt;P&gt;KB_indexed &amp;gt; 1000000 | stats count | search count &amp;gt; 0&lt;/P&gt;</description>
      <pubDate>Tue, 01 Jun 2010 22:35:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14507#M1494</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-06-01T22:35:38Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14508#M1495</link>
      <description>&lt;P&gt;where KB_indexed &amp;gt; 1000000 | stats count | where count &amp;gt; 0&lt;/P&gt;

&lt;P&gt;The "where" clause was missing.  My bad.&lt;/P&gt;</description>
      <pubDate>Tue, 01 Jun 2010 22:37:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14508#M1495</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-06-01T22:37:57Z</dc:date>
    </item>
    <item>
      <title>Re: How to send a notification when the my iindexer process through a certain amount of forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14509#M1496</link>
      <description>&lt;P&gt;I don't understand.  Why is my &lt;/P&gt;

&lt;P&gt;_internal = 3263.3 M &lt;BR /&gt;
main      = 2022.4599 M&lt;/P&gt;

&lt;P&gt;Aren't licenses based off of the "main" indexer?  If so, shouldn't I be trying to total up the main indexer instead of the "_internal"?  &lt;/P&gt;

&lt;P&gt;(fwiw - trying to run the aforementioned query with the main indexer does not work, and the main indexer is extremely slow when trying to look through everything)&lt;/P&gt;

&lt;P&gt;Please advise. &lt;/P&gt;

&lt;P&gt;Thanks!&lt;BR /&gt;
    Sean&lt;/P&gt;</description>
      <pubDate>Tue, 08 Jun 2010 02:38:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-a-notification-when-the-my-iindexer-process-through/m-p/14509#M1496</guid>
      <dc:creator>seanlon11</dc:creator>
      <dc:date>2010-06-08T02:38:35Z</dc:date>
    </item>
  </channel>
</rss>

