How configure alert for log volume that is approac...

krishdevineni9 · ‎09-23-2019

Hi,
I have a requirement:
There are 2 hosts.

The set license limit for the 2 hosts is 30GB/day.
Need to configure an alert : sum the license volume by host 1 & 2 every hour and if log volume is approaching 80%(i.e.,24GB/day) alert. The volume consumption resets to 0GB/day at 12 midnight every day.
Thanks,
Krish

krishscalar · ‎09-25-2019

Hi Woodcook,

Thank you for responding. I ran the query. At the end of the run I see events. However in the stats tab I do not see any data. I see this command="predict", Unknown field: volume_b.
May I request you to help me with resolving the issue.

Thanks,
Krish

woodcock · ‎09-23-2019

Start with this and work it out from there:

index=_internal AND source=*license_usage.log* AND type=Usage
| timechart span=1h sum(b) AS volume_b BY host
| predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24
| addinfo
| where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d")
| fields - info*
| eval merged = coalesce(volume_b, prediction)
| stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far
| eval volume_so_far=round(volume_so_far/1024/1024/1024,2)
| eval predicted_volume=round(predicted_volume/1024/1024/1024,2)

woodcock · ‎09-23-2019

If this is really the deal, then the easiest way to handle it is to use this setting on the forwarder in limits.conf:

[thruput]
# This corresponds to 30GB/day
maxKBps = 364

This way if they bust license here and there, it will still come in, just later.

How configure alert for log volume that is approaching 80%

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk