How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?
I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"
| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"
I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?
I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.
if number of events, hosts, sources, or custom.
Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?