Solved: Custom Alert condition search to report on indexed...

apro · ‎06-24-2010

Hi,

Have scheduled a search to report on total daily indexed volume for all our servers.

Will like to create Custom Alert condition search to specify if I only want to receive an email notification if the total indexed volume hit certain percent of the license limit? say eg. 350MB out of 500MB?80% out of 100%..

Lowell · ‎06-25-2010

Here is an example of a search that shows percentage of license use:

index=_internal sourcetype=splunkd LicenseManager-Audit todaysBytesIndexed licenseSize | eval todayMb=(todaysBytesIndexed/1048576) | eval percentUsed=round(100*todayMb/licenseSize,2)

For the purpose of an alert, you could add a custom alerting condition with the following expressions if you only want to be notified when your usage exceeds 80%.

where percentUsed>80

View solution in original post

Lowell · ‎06-25-2010

Here is an example of a search that shows percentage of license use:

index=_internal sourcetype=splunkd LicenseManager-Audit todaysBytesIndexed licenseSize | eval todayMb=(todaysBytesIndexed/1048576) | eval percentUsed=round(100*todayMb/licenseSize,2)

For the purpose of an alert, you could add a custom alerting condition with the following expressions if you only want to be notified when your usage exceeds 80%.

where percentUsed>80

beaumaris · ‎09-29-2011

This works for pre-4.2 installations, but with 4.2 and license pooling the license_audit.log file always reports 0 for all the fields. How would you structure the search on a 4.2.X system that is configured for license pooling?

Custom Alert condition search to report on indexed volume

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!