Am trying to monitor a license violation based on this search
index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as totalMB by pool, date_mday |where totalMB > 1000 |eval today=strftime(now(), "%e")
This returns the table as:
pool date_mday totalMB today auto_generated_pool_enterprise 1 1509.784787 9 auto_generated_pool_enterprise 2 1775.701592 9 auto_generated_pool_enterprise 3 1860.892447 9 auto_generated_pool_enterprise 4 16658.177067 9 auto_generated_pool_enterprise 5 17781.991444 9 auto_generated_pool_enterprise 6 2208.284199 9 auto_generated_pool_enterprise 7 12906.510156 9 auto_generated_pool_enterprise 8 16878.486005 9 auto_generated_pool_enterprise 9 12402.581627 9
Now my issue is i want to set up an alert on the particular day when a license violation occurs and not on subsequent days. So am setting my custom alert condition as:
search totalMB>1000 and (date_mday=" "+today or date_mday=today)
This does not work. How to write this custom condition?
Am I right in assuming that you want to raise an alert when the indexed volume of the previous day (or the current day?) exceeds a certain amount?
The easiest way to achieve that would be to filter the license usage events down to the relevant time frame straight away in the first search / the time picker. Then you have no issue filtering out the irrelevant days further down the query.
The alert condition would then just check if there is a result for the day in question that passed the >1000MB filter.
You are right but the issue is when the alert get triggered I want it to show all violations within that month. So am setting @mon to now as time frame. Again when I do this, it would just trigger everyday cause it would find that condition in the search result even if it is of a previous day. I want it to send me an email only when there is an alert today and show me how many violations in this month.
First, you don't need to have
search totalMB>1000 in the alert condition, since the original search already does that.
Second, 'or' should be 'OR'. 'and' should be 'AND'. There is a difference. However 'AND' is not needed, since there's an implicit AND between all search terms. Remove it.
Third, I do not understand
date_mday=" "+today. What does that mean? Typo?
well the answer to your third question is because %d gives today as 09 and %e gives today as " 9". While date_mday gives as just 9. In order to compare i need to add the space when i have single digit day. Is there a way to concatenate?
Just answering my own question:
The query would be:
index=internal source=*licenseusage.log type=Usage | eval MB=b/1024/1024 | stats sum(MB) as TotalMBUsed by pool, datemday|eval Today=trim((strftime(now(), "%e")), " ")| eval MBExceededBy = 512000 - TotalMBUsed |eval MBAvailable = 512000 |eval Environment = "DEV" |eval TriggeredOn = if((match(datemday,Today)), "Today", date_mday)|where TotalMBUsed > 512000
Time Range is @mon to now
Custom Condtion is "search TriggeredOn = Today"
This would trigger the alert on the day a violation occurs and the alert table will have all the violation of that month so that you know how many violations you have done in this month.