Alerting

License Alert Custom Condition

pdash
Path Finder

Am trying to monitor a license violation based on this search

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as totalMB by pool, date_mday |where totalMB > 1000 |eval today=strftime(now(), "%e")

This returns the table as:

pool                        date_mday   totalMB        today
auto_generated_pool_enterprise  1   1509.784787  9
auto_generated_pool_enterprise  2   1775.701592  9
auto_generated_pool_enterprise  3   1860.892447  9
auto_generated_pool_enterprise  4   16658.177067     9
auto_generated_pool_enterprise  5   17781.991444     9
auto_generated_pool_enterprise  6   2208.284199  9
auto_generated_pool_enterprise  7   12906.510156     9
auto_generated_pool_enterprise  8   16878.486005     9
auto_generated_pool_enterprise  9   12402.581627     9

Now my issue is i want to set up an alert on the particular day when a license violation occurs and not on subsequent days. So am setting my custom alert condition as:

search totalMB>1000 and (date_mday=" "+today or date_mday=today)

This does not work. How to write this custom condition?

Tags (3)
0 Karma
1 Solution

pdash
Path Finder

Just answering my own question:
The query would be:
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, date_mday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(date_mday,Today)), "Today", date_mday)|where TotalMBUsed > 512000

Time Range is @mon to now

Custom Condtion is "search TriggeredOn = Today"

This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

aah, yes, to concatenate use the dot operator

eval aa = " " . date_mday

0 Karma

pdash
Path Finder

Just answering my own question:
The query would be:
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, date_mday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(date_mday,Today)), "Today", date_mday)|where TotalMBUsed > 512000

Time Range is @mon to now

Custom Condtion is "search TriggeredOn = Today"

This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.

0 Karma

pdash
Path Finder

well the answer to your third question is because %d gives today as 09 and %e gives today as " 9". While date_mday gives as just 9. In order to compare i need to add the space when i have single digit day. Is there a way to concatenate?

0 Karma

kristian_kolb
Ultra Champion

First, you don't need to have search totalMB>1000 in the alert condition, since the original search already does that.

Second, 'or' should be 'OR'. 'and' should be 'AND'. There is a difference. However 'AND' is not needed, since there's an implicit AND between all search terms. Remove it.

Third, I do not understand date_mday=" "+today. What does that mean? Typo?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Am I right in assuming that you want to raise an alert when the indexed volume of the previous day (or the current day?) exceeds a certain amount?

The easiest way to achieve that would be to filter the license usage events down to the relevant time frame straight away in the first search / the time picker. Then you have no issue filtering out the irrelevant days further down the query.

The alert condition would then just check if there is a result for the day in question that passed the >1000MB filter.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see you already found a solution yourself - accept that answer if you're satisfied to mark the question as resolved.

0 Karma

pdash
Path Finder

You are right but the issue is when the alert get triggered I want it to show all violations within that month. So am setting @mon to now as time frame. Again when I do this, it would just trigger everyday cause it would find that condition in the search result even if it is of a previous day. I want it to send me an email only when there is an alert today and show me how many violations in this month.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...