Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to set up my Splunk cluster to alert me once I've indexed 4GB per day?

sympatiko
Communicator
‎03-03-2015 03:35 AM

Hi,

Is there a way to set my splunk cluster to alert me once I'm already indexing 4GB per day? I have a 5gb license. I just want to be alert before I exceed the allowed indexed per day.

BTW, my setup is RF=3 SF=3

Thanks,

0 Karma
Reply

linu1988
Champion
‎03-03-2015 04:08 AM

Hi Eddel,
Use the below one as an alert to get notified on your license Master.

index=_internal source=*license_usage.log type=Usage earliest=-0d@d | stats sum(b) as tot | eval GB=tot/1024/1024/1024 |table host,GB| where GB > 4

OR
Quicker

| rest /services/licenser/pools|where stack_id="enterprise" |eval used_bytes=used_bytes/(1024*1024*1024)|table splunk_server,used_bytes|where used_bytes >4|eval used_bytes=used_bytes." GB"|rename used_bytes as "Usage"

Thanks,
L

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-03-2015 03:59 AM

Hi sympatiko,

if you're on Splunk 6.2 use the DMC (Distributed Management Console) which has predefined alerts for this. It is called DMC Alert - Total License Usage Near Daily Quota and needs to be enabled. Read more in the docs here http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Platformalerts

If you're on pre Splunk 6.2 take a look at the docs here http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...