Alerting

How do I write a search to monitor daily license usage by index and trigger an alert if it crosses 10GB?

chris1
Explorer

Hi ,

Actually I want to monitor License for specific index and if it crosses e.g 10 GB limit, then it should trigger the alert. Can someone help me with the search?

Thanks..

0 Karma
1 Solution

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

View solution in original post

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

chris1
Explorer

I am getting "Unknown search command 'st'" error when I execute that command..

0 Karma

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=yourIndexName MB>10000
| fields st MB

Trigger condition when results>0.

st=yourindexname - add this . Due to formatting it got wiped off I guess

0 Karma

chris1
Explorer

my index is test. below query is correct?

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=test MB>10000
| fields st MB

0 Karma

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage st=test
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

0 Karma

chris1
Explorer

st means sourcetype right? I need it for index

0 Karma

jensonthottian
Contributor

for index use this :

index=_internal source=*license_usage.log type=Usage idx=test
| stats sum(b) AS bytes by idx
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields idx MB

chris1
Explorer

Yeah. it worked. great. instead of st I have used idx. it looks good now. Thank you very much!!

jensonthottian
Contributor

No problem, please accept and vote for the solution and comments.

Thanks.

0 Karma

jensonthottian
Contributor

A little issue in the query ..

index=_internal source=*license_usage.log type=Usage st="yourIndexName"
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

chris1
Explorer

Hi,

Also I need it for specific index, not for all index or sourcetype.

0 Karma

jensonthottian
Contributor

yes, st=yourspecificindexname

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...