Alerting

How do I write a search to monitor daily license usage by index and trigger an alert if it crosses 10GB?

Explorer

Hi ,

Actually I want to monitor License for specific index and if it crosses e.g 10 GB limit, then it should trigger the alert. Can someone help me with the search?

Thanks..

0 Karma
1 Solution

Contributor

index=internal source=*licenseusage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

View solution in original post

Contributor

index=internal source=*licenseusage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st= MB>10000
| fields st MB

Trigger condition when results>0.

View solution in original post

Explorer

I am getting "Unknown search command 'st'" error when I execute that command..

0 Karma

Contributor

index=internal source=*licenseusage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=yourIndexName MB>10000
| fields st MB

Trigger condition when results>0.

st=yourindexname - add this . Due to formatting it got wiped off I guess

0 Karma

Explorer

my index is test. below query is correct?

index=internal source=*licenseusage.log type=Usage
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| st=test MB>10000
| fields st MB

0 Karma

Contributor

index=internal source=*licenseusage.log type=Usage st=test
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

0 Karma

Explorer

st means sourcetype right? I need it for index

0 Karma

Contributor

for index use this :

index=internal source=*licenseusage.log type=Usage idx=test
| stats sum(b) AS bytes by idx
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields idx MB

Explorer

Yeah. it worked. great. instead of st I have used idx. it looks good now. Thank you very much!!

Contributor

No problem, please accept and vote for the solution and comments.

Thanks.

0 Karma

Contributor

A little issue in the query ..

index=internal source=*licenseusage.log type=Usage st="yourIndexName"
| stats sum(b) AS bytes by st
| eval MB= round(bytes/1024/1024,1)
| where MB>10000
| fields st MB

It should work now, I tested it.

Explorer

Hi,

Also I need it for specific index, not for all index or sourcetype.

0 Karma

Contributor

yes, st=yourspecificindexname

0 Karma