I am getting "Unknown search command 'st'" error when I execute that command..

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=yourIndexName MB>10000
| fields st MB

Trigger condition when results>0.

st=yourindexname - add this . Due to formatting it got wiped off I guess

my index is test. below query is correct?

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=test MB>10000
| fields st MB

index=_internal source=*license_usage.log type=Usage st=test
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

st means sourcetype right? I need it for index

for index use this :

index=_internal source=*license_usage.log type=Usage idx=test
| stats sum(b) AS bytes by idx
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields idx MB

Yeah. it worked. great. instead of st I have used idx. it looks good now. Thank you very much!!

No problem, please accept and vote for the solution and comments.

Thanks.

A little issue in the query ..

index=_internal source=*license_usage.log type=Usage st="yourIndexName"
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

Hi,

Also I need it for specific index, not for all index or sourcetype.

yes, st=yourspecificindexname