Requesting help to create an alert as below.

x1045866 · ‎06-25-2019

Hi,

Please can some one help me t create the alert for below requirement.

"For the following indexes below, create an alert that monitors license volume exceeding 10% of the rolling average of the last 30 days of volume.

1 proxy
2 Dns
3 windows
4 Linux
5 Firewall"

adonio · ‎06-26-2019

there are many answers for this topic in this portal, here are some examples:
https://answers.splunk.com/answers/716733/how-do-you-calculate-the-growth-of-each-index-on-a.html
https://answers.splunk.com/answers/231310/calculating-the-percentage-growth-value-of-a-field.html
and also many ways to calculate the size and growth of an index ...
here is a quick draw, i hope you will find it useful:

index=_internal source=*license_usage.log type="Usage" idx IN(proxy Dns windows Linux Firewall)
| bin _time span=1d 
| eventstats sum(b) as daily_b by idx _time 
| eval daily_mb = daily_b/1024/1024
| stats max(daily_mb) as total_daily by _time idx
| streamstats window=30 current=f global=f avg(total_daily) as running_avg by idx
| eval ten_percent_on_top = running_avg + running_avg/10
| eval flag = if(total_daily>ten_percent_on_top,"Alarm","All Good")

note, this search can get expensive as the data is verbose. its recommended to summarize your daily license stats and query the summary index with the data

Requesting help to create an alert as below.

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)