Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerts: Assistance in showing servers logging the most when license quota is at 75% full

agentguerry
Path Finder
‎08-28-2018 08:34 AM

I am looking for help to see how i can have my current alert, which emails me that our quota is 75% full, to also present in my email the top 10 offenders of logging.

Is that possible?

Currently my search i'm using to show a 30G quota being 75% full is:

index=_internal source="license_usage.lo" type=Usage pool="Linux Pool" earliest=@d| stats sum(b) as bytes | eval gb=bytes/1024/1024/1024|where gb>=22

Is there a way on the search to also have it show the top offenders, such as

index = * | tp limit=10 host

Thank you!

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎08-28-2018 08:48 AM

Try like this

index=_internal source="license_usage.lo" type=Usage pool="Linux Pool" earliest=@d
| stats sum(b) as usageGB by h
| eval usageGB =usageGB/1024/1024/1024 
| eventstats sum(usageGB) as TotalUsage  
| sort 10 UsageGB|where TotalUsage>=22
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...