Alerting

How to create an alert to notify me via email when an index goes over 50% of the daily license quota?

agentguerry
Path Finder

How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?

I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"

I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?

I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.

Thanks!

0 Karma

hexx
Splunk Employee
Splunk Employee
0 Karma

woodcock
Esteemed Legend

Build your threshold into your search like this:

... | where "% used" > "50"

Then trigger for if number of results > 0.

0 Karma

agentguerry
Path Finder

for "condition"

it offers:

if number of events, hosts, sources, or custom.

Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?

thanks woodcock.

0 Karma

woodcock
Esteemed Legend

Use events.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...