Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an alert to notify me via email when an index goes over 50% of the daily license quota?

agentguerry
Path Finder
‎10-26-2015 08:48 AM

How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?

I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"

I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?

I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.

Thanks!

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎10-26-2015 09:46 AM

I would suggest to set up (and adjust as needed) the "Total license usage near daily quota" platform alert that ships with the Distributed Management Con....

0 Karma
Reply

woodcock
Esteemed Legend
‎10-26-2015 09:28 AM

Build your threshold into your search like this:

... | where "% used" > "50"

Then trigger for if number of results > 0.

Reply

agentguerry
Path Finder
‎10-26-2015 09:33 AM

for "condition"

it offers:

if number of events, hosts, sources, or custom.

Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?

thanks woodcock.

Reply

woodcock
Esteemed Legend
‎10-26-2015 09:40 AM

Use events.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...