Hi Folks,
I am using the query to get the data indexed per day
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB)
And want to trigger an email when the indexed data reaches 20GB.
in custom condition I am using
where sum(GB) > 20
I am not getting an email for this alert.
Not sure what's going wrong about this one.Getting emails for other alerts.
Is the query correct?
Hi athorat,
Well, if you run this search directly in Splunk like this:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) | where sum(GB) > 20
You will get a nice error message:
Error in 'where' command: The 'sum' function is unsupported or undefined.
But, if you run it like this:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) AS sum | where sum > 20
all works as expected.
Hope that helps ...
cheers, MuS
What is the path of this file?
Hey MuS,
thanks for the reply.
So my query in the search is
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB)
and when I Save it as a alert I use
where sum(GB) > 20
So I am not getting the error which you mention its just that the email is not triggered nor do I see the alert being triggered.
Thanks,
Anil.
yes, the reason why you get no email nor the alert is triggered is that where sum(GB) > 20
does not work. So change it like I said and it will run 😉
so I changed the query as per your suggestions
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) AS sum
and in the alerts I am supposed to put the Custom condition which I did, still does not trigger the alret.
where sum > 20
I am not sure If I have the query right.
the query looks good, you probably are not over 20Gb yet. So change it to a lower number like 1Gb
The data shows its more than 22 GB.
Cant attach a snapshot here.
can you paste the config for this alert from savedsearches.conf
please?