Alerting
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search to monitor daily license usage by index and trigger an alert if it crosses 10GB?

chris1
Explorer
‎08-20-2015 02:13 PM

Hi ,

Actually I want to monitor License for specific index and if it crosses e.g 10 GB limit, then it should trigger the alert. Can someone help me with the search?

Thanks..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-20-2015 03:23 PM

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

View solution in original post

Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-20-2015 03:23 PM

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

Reply
Solved! Jump to solution

chris1
Explorer
‎08-20-2015 03:40 PM

I am getting "Unknown search command 'st'" error when I execute that command..

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 03:42 PM

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=yourIndexName MB>10000
| fields st MB

Trigger condition when results>0.

st=yourindexname - add this . Due to formatting it got wiped off I guess

0 Karma
Reply
Solved! Jump to solution

chris1
Explorer
‎08-20-2015 03:48 PM

my index is test. below query is correct?

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=test MB>10000
| fields st MB

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 03:52 PM

index=_internal source=*license_usage.log type=Usage st=test
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

0 Karma
Reply
Solved! Jump to solution

chris1
Explorer
‎08-20-2015 03:58 PM

st means sourcetype right? I need it for index

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 04:03 PM

for index use this :

index=_internal source=*license_usage.log type=Usage idx=test
| stats sum(b) AS bytes by idx
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields idx MB

Reply
Solved! Jump to solution

chris1
Explorer
‎08-20-2015 04:01 PM

Yeah. it worked. great. instead of st I have used idx. it looks good now. Thank you very much!!

Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 04:05 PM

No problem, please accept and vote for the solution and comments.

Thanks.

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 03:46 PM

A little issue in the query ..

index=_internal source=*license_usage.log type=Usage st="yourIndexName"
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

Reply
Solved! Jump to solution

chris1
Explorer
‎08-20-2015 03:42 PM

Hi,

Also I need it for specific index, not for all index or sourcetype.

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-20-2015 03:43 PM

yes, st=yourspecificindexname

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top