How configure alert for log volume that is approaching 80%

New Member

I have a requirement:
There are 2 hosts.

alt text

The set license limit for the 2 hosts is 30GB/day.
Need to configure an alert : sum the license volume by host 1 & 2 every hour and if log volume is approaching 80%(i.e.,24GB/day) alert. The volume consumption resets to 0GB/day at 12 midnight every day.

0 Karma

New Member

Hi Woodcook,

Thank you for responding. I ran the query. At the end of the run I see events. However in the stats tab I do not see any data. I see this command="predict", Unknown field: volume_b.
May I request you to help me with resolving the issue.


0 Karma

Esteemed Legend

Start with this and work it out from there:

index=_internal AND source=*license_usage.log* AND type=Usage
| timechart span=1h sum(b) AS volume_b BY host
| predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24
| addinfo
| where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d")
| fields - info*
| eval merged = coalesce(volume_b, prediction)
| stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far
| eval volume_so_far=round(volume_so_far/1024/1024/1024,2)
| eval predicted_volume=round(predicted_volume/1024/1024/1024,2)
0 Karma

Esteemed Legend

If this is really the deal, then the easiest way to handle it is to use this setting on the forwarder in limits.conf:

# This corresponds to 30GB/day
maxKBps = 364

This way if they bust license here and there, it will still come in, just later.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!