Alerting

License Alert Custom Condition

pdash
Path Finder

Am trying to monitor a license violation based on this search

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as totalMB by pool, date_mday |where totalMB > 1000 |eval today=strftime(now(), "%e")

This returns the table as:

pool                        date_mday   totalMB        today
auto_generated_pool_enterprise  1   1509.784787  9
auto_generated_pool_enterprise  2   1775.701592  9
auto_generated_pool_enterprise  3   1860.892447  9
auto_generated_pool_enterprise  4   16658.177067     9
auto_generated_pool_enterprise  5   17781.991444     9
auto_generated_pool_enterprise  6   2208.284199  9
auto_generated_pool_enterprise  7   12906.510156     9
auto_generated_pool_enterprise  8   16878.486005     9
auto_generated_pool_enterprise  9   12402.581627     9

Now my issue is i want to set up an alert on the particular day when a license violation occurs and not on subsequent days. So am setting my custom alert condition as:

search totalMB>1000 and (date_mday=" "+today or date_mday=today)

This does not work. How to write this custom condition?

Tags (3)
0 Karma
1 Solution

pdash
Path Finder

Just answering my own question:
The query would be:
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, date_mday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(date_mday,Today)), "Today", date_mday)|where TotalMBUsed > 512000

Time Range is @mon to now

Custom Condtion is "search TriggeredOn = Today"

This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

aah, yes, to concatenate use the dot operator

eval aa = " " . date_mday

0 Karma

pdash
Path Finder

Just answering my own question:
The query would be:
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, date_mday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(date_mday,Today)), "Today", date_mday)|where TotalMBUsed > 512000

Time Range is @mon to now

Custom Condtion is "search TriggeredOn = Today"

This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.

0 Karma

pdash
Path Finder

well the answer to your third question is because %d gives today as 09 and %e gives today as " 9". While date_mday gives as just 9. In order to compare i need to add the space when i have single digit day. Is there a way to concatenate?

0 Karma

kristian_kolb
Ultra Champion

First, you don't need to have search totalMB>1000 in the alert condition, since the original search already does that.

Second, 'or' should be 'OR'. 'and' should be 'AND'. There is a difference. However 'AND' is not needed, since there's an implicit AND between all search terms. Remove it.

Third, I do not understand date_mday=" "+today. What does that mean? Typo?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Am I right in assuming that you want to raise an alert when the indexed volume of the previous day (or the current day?) exceeds a certain amount?

The easiest way to achieve that would be to filter the license usage events down to the relevant time frame straight away in the first search / the time picker. Then you have no issue filtering out the irrelevant days further down the query.

The alert condition would then just check if there is a result for the day in question that passed the >1000MB filter.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see you already found a solution yourself - accept that answer if you're satisfied to mark the question as resolved.

0 Karma

pdash
Path Finder

You are right but the issue is when the alert get triggered I want it to show all violations within that month. So am setting @mon to now as time frame. Again when I do this, it would just trigger everyday cause it would find that condition in the search result even if it is of a previous day. I want it to send me an email only when there is an alert today and show me how many violations in this month.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...