Re: How to create an alert to notify me via email ...

agentguerry · ‎10-26-2015

How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?

I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"

I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?

I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.

Thanks!

hexx · ‎10-26-2015

I would suggest to set up (and adjust as needed) the "Total license usage near daily quota" platform alert that ships with the Distributed Management Con....

woodcock · ‎10-26-2015

Build your threshold into your search like this:

... | where "% used" > "50"

Then trigger for if number of results > 0.

agentguerry · ‎10-26-2015

for "condition"

it offers:

if number of events, hosts, sources, or custom.

Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?

thanks woodcock.

woodcock · ‎10-26-2015

Use events.

How to create an alert to notify me via email when an index goes over 50% of the daily license quota?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life