I have a requirement:
There are 2 hosts.
The set license limit for the 2 hosts is 30GB/day.
Need to configure an alert : sum the license volume by host 1 & 2 every hour and if log volume is approaching 80%(i.e.,24GB/day) alert. The volume consumption resets to 0GB/day at 12 midnight every day.
If this is really the deal, then the easiest way to handle it is to use this setting on the forwarder in limits.conf:
[thruput] # This corresponds to 30GB/day maxKBps = 364
This way if they bust license here and there, it will still come in, just later.
Start with this and work it out from there:
index=_internal AND source=*license_usage.log* AND type=Usage | timechart span=1h sum(b) AS volume_b BY host | predict algorithm=LLP period=24 volume_b AS prediction future_timespan=24 | addinfo | where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d") | fields - info* | eval merged = coalesce(volume_b, prediction) | stats sum(merged) AS predicted_volume sum(volume_b) AS volume_so_far | eval volume_so_far=round(volume_so_far/1024/1024/1024,2) | eval predicted_volume=round(predicted_volume/1024/1024/1024,2)
Thank you for responding. I ran the query. At the end of the run I see events. However in the stats tab I do not see any data. I see this command="predict", Unknown field: volume_b.
May I request you to help me with resolving the issue.