is it possible to setup an alert if someone accidentally sned huge log entries to the HTP Collector for example on an average it always receives data < 50 MB at any regulat intervals of time. Due to any developer's mistake by enabling debug logging or sending wrong log entries of huge sizes more than 50 MB sent to HTTP Collector at a given chunk.
Setting up alert for such behavior will help in alerting the users to chekc if the source is expected or it was due to any human error. Please let me know if someone has achieved it.
You can use
_introspection index to achieve this.
To start with you can use below query
index=_introspection host=gblvap000268 sourcetype=http_event_collector_metrics "data.token_name"=*
| rename data.* as *
| stats avg(total_bytes_received) as bytes_received by token_name
EDIT: Query updated for to find avg based on token name