https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83010#M1148 <P>I see you already found a solution yourself - accept that answer if you're satisfied to mark the question as resolved.</P> Fri, 11 Jan 2013 08:00:19 GMT martin_mueller 2013-01-11T08:00:19Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83004#M1142 <P>Am trying to monitor a license violation based on this search</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as totalMB by pool, date_mday |where totalMB &gt; 1000 |eval today=strftime(now(), "%e") </CODE></PRE> <P>This returns the table as:</P> <PRE><CODE>pool date_mday totalMB today auto_generated_pool_enterprise 1 1509.784787 9 auto_generated_pool_enterprise 2 1775.701592 9 auto_generated_pool_enterprise 3 1860.892447 9 auto_generated_pool_enterprise 4 16658.177067 9 auto_generated_pool_enterprise 5 17781.991444 9 auto_generated_pool_enterprise 6 2208.284199 9 auto_generated_pool_enterprise 7 12906.510156 9 auto_generated_pool_enterprise 8 16878.486005 9 auto_generated_pool_enterprise 9 12402.581627 9 </CODE></PRE> <P>Now my issue is i want to set up an alert on the particular day when a license violation occurs and not on subsequent days. So am setting my custom alert condition as:</P> <PRE><CODE>search totalMB&gt;1000 and (date_mday=" "+today or date_mday=today) </CODE></PRE> <P>This does not work. How to write this custom condition?</P> Thu, 10 Jan 2013 01:30:04 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83004#M1142 pdash 2013-01-10T01:30:04Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83005#M1143 <P>Am I right in assuming that you want to raise an alert when the indexed volume of the previous day (or the current day?) exceeds a certain amount?</P> <P>The easiest way to achieve that would be to filter the license usage events down to the relevant time frame straight away in the first search / the time picker. Then you have no issue filtering out the irrelevant days further down the query.</P> <P>The alert condition would then just check if there is a result for the day in question that passed the &gt;1000MB filter.</P> Thu, 10 Jan 2013 07:53:37 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83005#M1143 martin_mueller 2013-01-10T07:53:37Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83006#M1144 <P>First, you don't need to have <CODE>search totalMB&gt;1000</CODE> in the alert condition, since the original search already does that.</P> <P>Second, 'or' should be 'OR'. 'and' should be 'AND'. There is a difference. However 'AND' is not needed, since there's an implicit AND between all search terms. Remove it. </P> <P>Third, I do not understand <CODE>date_mday=" "+today</CODE>. What does that mean? Typo?</P> Thu, 10 Jan 2013 07:55:36 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83006#M1144 kristian_kolb 2013-01-10T07:55:36Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83007#M1145 <P>well the answer to your third question is because %d gives today as 09 and %e gives today as " 9". While date_mday gives as just 9. In order to compare i need to add the space when i have single digit day. Is there a way to concatenate?</P> Thu, 10 Jan 2013 16:44:23 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83007#M1145 pdash 2013-01-10T16:44:23Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83008#M1146 <P>You are right but the issue is when the alert get triggered I want it to show all violations within that month. So am setting @mon to now as time frame. Again when I do this, it would just trigger everyday cause it would find that condition in the search result even if it is of a previous day. I want it to send me an email only when there is an alert today and show me how many violations in this month.</P> Thu, 10 Jan 2013 18:39:49 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83008#M1146 pdash 2013-01-10T18:39:49Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83009#M1147 <P>Just answering my own question:<BR /> The query would be:<BR /> index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, date_mday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(date_mday,Today)), "Today", date_mday)|where TotalMBUsed &gt; 512000</P> <P>Time Range is @mon to now</P> <P>Custom Condtion is "search TriggeredOn = Today"</P> <P>This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.</P> Mon, 28 Sep 2020 13:05:08 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83009#M1147 pdash 2020-09-28T13:05:08Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83010#M1148 <P>I see you already found a solution yourself - accept that answer if you're satisfied to mark the question as resolved.</P> Fri, 11 Jan 2013 08:00:19 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83010#M1148 martin_mueller 2013-01-11T08:00:19Z https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83011#M1149 <P>aah, yes, to concatenate use the dot operator </P> <P><CODE>eval aa = " " . date_mday</CODE></P> Fri, 11 Jan 2013 08:01:45 GMT https://community.splunk.com/t5/Alerting/License-Alert-Custom-Condition/m-p/83011#M1149 kristian_kolb 2013-01-11T08:01:45Z