Alerting

How do I write a search to monitor daily license usage by index and trigger an alert if it crosses 10GB?

chris1
Explorer

Hi ,

Actually I want to monitor License for specific index and if it crosses e.g 10 GB limit, then it should trigger the alert. Can someone help me with the search?

Thanks..

0 Karma
1 Solution

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

View solution in original post

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

chris1
Explorer

I am getting "Unknown search command 'st'" error when I execute that command..

0 Karma

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=yourIndexName MB>10000
| fields st MB

Trigger condition when results>0.

st=yourindexname - add this . Due to formatting it got wiped off I guess

0 Karma

chris1
Explorer

my index is test. below query is correct?

index=_internal source=*license_usage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=test MB>10000
| fields st MB

0 Karma

jensonthottian
Contributor

index=_internal source=*license_usage.log type=Usage st=test
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

0 Karma

chris1
Explorer

st means sourcetype right? I need it for index

0 Karma

jensonthottian
Contributor

for index use this :

index=_internal source=*license_usage.log type=Usage idx=test
| stats sum(b) AS bytes by idx
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields idx MB

chris1
Explorer

Yeah. it worked. great. instead of st I have used idx. it looks good now. Thank you very much!!

jensonthottian
Contributor

No problem, please accept and vote for the solution and comments.

Thanks.

0 Karma

jensonthottian
Contributor

A little issue in the query ..

index=_internal source=*license_usage.log type=Usage st="yourIndexName"
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

chris1
Explorer

Hi,

Also I need it for specific index, not for all index or sourcetype.

0 Karma

jensonthottian
Contributor

yes, st=yourspecificindexname

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...