Alerting

Alerts on license usage for Splunk 6.1

athorat
Communicator

Hi Folks,

I am using the query to get the data indexed per day

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

And want to trigger an email when the indexed data reaches 20GB.
in custom condition I am using

where sum(GB) > 20

I am not getting an email for this alert.
Not sure what's going wrong about this one.Getting emails for other alerts.
Is the query correct?

0 Karma

MuS
Legend

Hi athorat,

Well, if you run this search directly in Splunk like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) | where sum(GB) > 20

You will get a nice error message:

 Error in 'where' command: The 'sum' function is unsupported or undefined.

But, if you run it like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum | where sum > 20

all works as expected.

Hope that helps ...

cheers, MuS

athorat
Communicator

What is the path of this file?

0 Karma

athorat
Communicator

Hey MuS,

thanks for the reply.
So my query in the search is

  index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

and when I Save it as a alert I use

where sum(GB) > 20
So I am not getting the error which you mention its just that the email is not triggered nor do I see the alert being triggered.

Thanks,
Anil.

0 Karma

MuS
Legend

yes, the reason why you get no email nor the alert is triggered is that where sum(GB) > 20 does not work. So change it like I said and it will run 😉

0 Karma

athorat
Communicator

so I changed the query as per your suggestions

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum

and in the alerts I am supposed to put the Custom condition which I did, still does not trigger the alret.

where sum > 20

I am not sure If I have the query right.

0 Karma

MuS
Legend

the query looks good, you probably are not over 20Gb yet. So change it to a lower number like 1Gb

0 Karma

athorat
Communicator

The data shows its more than 22 GB.
Cant attach a snapshot here.

0 Karma

MuS
Legend

can you paste the config for this alert from savedsearches.conf please?

0 Karma
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...