Re: Requesting help to create an alert as below.

x1045866 · ‎06-25-2019

Hi,

Please can some one help me t create the alert for below requirement.

"For the following indexes below, create an alert that monitors license volume exceeding 10% of the rolling average of the last 30 days of volume.

1 proxy
2 Dns
3 windows
4 Linux
5 Firewall"

adonio · ‎06-26-2019

there are many answers for this topic in this portal, here are some examples:
https://answers.splunk.com/answers/716733/how-do-you-calculate-the-growth-of-each-index-on-a.html
https://answers.splunk.com/answers/231310/calculating-the-percentage-growth-value-of-a-field.html
and also many ways to calculate the size and growth of an index ...
here is a quick draw, i hope you will find it useful:

index=_internal source=*license_usage.log type="Usage" idx IN(proxy Dns windows Linux Firewall)
| bin _time span=1d 
| eventstats sum(b) as daily_b by idx _time 
| eval daily_mb = daily_b/1024/1024
| stats max(daily_mb) as total_daily by _time idx
| streamstats window=30 current=f global=f avg(total_daily) as running_avg by idx
| eval ten_percent_on_top = running_avg + running_avg/10
| eval flag = if(total_daily>ten_percent_on_top,"Alarm","All Good")

note, this search can get expensive as the data is verbose. its recommended to summarize your daily license stats and query the summary index with the data

Requesting help to create an alert as below.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation