topic Re: Alerts on license usage for Splunk 6.1 in Alerting

Alerts on license usage for Splunk 6.1

athorat — Wed, 17 Jun 2015 22:42:00 GMT

Hi Folks,

I am using the query to get the data indexed per day

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

And want to trigger an email when the indexed data reaches 20GB.
in custom condition I am using

where sum(GB) > 20

I am not getting an email for this alert.
Not sure what's going wrong about this one.Getting emails for other alerts.
Is the query correct?

Re: Alerts on license usage for Splunk 6.1

MuS — Wed, 17 Jun 2015 22:56:29 GMT

Hi athorat,

Well, if you run this search directly in Splunk like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) | where sum(GB) > 20

You will get a nice error message:

 Error in 'where' command: The 'sum' function is unsupported or undefined.

But, if you run it like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum | where sum > 20

all works as expected.

Hope that helps ...

cheers, MuS

Re: Alerts on license usage for Splunk 6.1

athorat — Wed, 17 Jun 2015 23:17:16 GMT

Hey MuS,

thanks for the reply.
So my query in the search is

  index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

and when I Save it as a alert I use

where sum(GB) > 20
So I am not getting the error which you mention its just that the email is not triggered nor do I see the alert being triggered.

Thanks,
Anil.

Re: Alerts on license usage for Splunk 6.1

MuS — Wed, 17 Jun 2015 23:20:19 GMT

yes, the reason why you get no email nor the alert is triggered is that where sum(GB) > 20 does not work. So change it like I said and it will run 😉

Re: Alerts on license usage for Splunk 6.1

athorat — Thu, 18 Jun 2015 00:30:56 GMT

so I changed the query as per your suggestions

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum

and in the alerts I am supposed to put the Custom condition which I did, still does not trigger the alret.

where sum > 20

I am not sure If I have the query right.

Re: Alerts on license usage for Splunk 6.1

MuS — Thu, 18 Jun 2015 00:44:52 GMT

the query looks good, you probably are not over 20Gb yet. So change it to a lower number like 1Gb

Re: Alerts on license usage for Splunk 6.1

athorat — Thu, 18 Jun 2015 00:55:18 GMT

The data shows its more than 22 GB.
Cant attach a snapshot here.

Re: Alerts on license usage for Splunk 6.1

MuS — Thu, 18 Jun 2015 01:00:59 GMT

can you paste the config for this alert from savedsearches.conf please?

Re: Alerts on license usage for Splunk 6.1

athorat — Thu, 25 Jun 2015 08:06:41 GMT

What is the path of this file?