Re: Requesting help to create an alert as below.

x1045866 · ‎06-25-2019

Hi,

Please can some one help me t create the alert for below requirement.

"For the following indexes below, create an alert that monitors license volume exceeding 10% of the rolling average of the last 30 days of volume.

1 proxy
2 Dns
3 windows
4 Linux
5 Firewall"

adonio · ‎06-26-2019

there are many answers for this topic in this portal, here are some examples:
https://answers.splunk.com/answers/716733/how-do-you-calculate-the-growth-of-each-index-on-a.html
https://answers.splunk.com/answers/231310/calculating-the-percentage-growth-value-of-a-field.html
and also many ways to calculate the size and growth of an index ...
here is a quick draw, i hope you will find it useful:

index=_internal source=*license_usage.log type="Usage" idx IN(proxy Dns windows Linux Firewall)
| bin _time span=1d 
| eventstats sum(b) as daily_b by idx _time 
| eval daily_mb = daily_b/1024/1024
| stats max(daily_mb) as total_daily by _time idx
| streamstats window=30 current=f global=f avg(total_daily) as running_avg by idx
| eval ten_percent_on_top = running_avg + running_avg/10
| eval flag = if(total_daily>ten_percent_on_top,"Alarm","All Good")

note, this search can get expensive as the data is verbose. its recommended to summarize your daily license stats and query the summary index with the data

Requesting help to create an alert as below.

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...