Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to set up my Splunk cluster to alert me once I've indexed 4GB per day?

sympatiko
Communicator
‎03-03-2015 03:35 AM

Hi,

Is there a way to set my splunk cluster to alert me once I'm already indexing 4GB per day? I have a 5gb license. I just want to be alert before I exceed the allowed indexed per day.

BTW, my setup is RF=3 SF=3

Thanks,

0 Karma
Reply

linu1988
Champion
‎03-03-2015 04:08 AM

Hi Eddel,
Use the below one as an alert to get notified on your license Master.

index=_internal source=*license_usage.log type=Usage earliest=-0d@d | stats sum(b) as tot | eval GB=tot/1024/1024/1024 |table host,GB| where GB > 4

OR
Quicker

| rest /services/licenser/pools|where stack_id="enterprise" |eval used_bytes=used_bytes/(1024*1024*1024)|table splunk_server,used_bytes|where used_bytes >4|eval used_bytes=used_bytes." GB"|rename used_bytes as "Usage"

Thanks,
L

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-03-2015 03:59 AM

Hi sympatiko,

if you're on Splunk 6.2 use the DMC (Distributed Management Console) which has predefined alerts for this. It is called DMC Alert - Total License Usage Near Daily Quota and needs to be enabled. Read more in the docs here http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Platformalerts

If you're on pre Splunk 6.2 take a look at the docs here http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...