Solved: alert when an increase of indexed data more than 1...

nikolab · ‎11-20-2015

Hi
I know that you have been answered before something similarly, but..I need for my managemant set alert on splunk when indexed volume data are 10% higher than daily average.
We have a problems to detect which of ours sourcetypes, indexes or sources produce a high volume of data, so I need alert to notify me by email where is a problem.

thanks in advance

Nikola

mreynov_splunk · ‎11-20-2015

In this answer you can get the daily volume: https://answers.splunk.com/answers/29415/daily-index-volume-by-sourcetype.html
You can run the same search for the day before and use eval to compare

View solution in original post

mreynov_splunk · ‎11-20-2015

In this answer you can get the daily volume: https://answers.splunk.com/answers/29415/daily-index-volume-by-sourcetype.html
You can run the same search for the day before and use eval to compare

nikolab · ‎11-23-2015

Thanks..it is ok, and works fine. Now I can compare index or sourcetype with day or week before.
I have just one question...is it possible that splunk tell me which host ( and we have hundreds of them ) produces the greatest amount of data?
It would be very useful for quick response the problem.

thanks

Nikola

nikolab · ‎11-20-2015

And, alert is not a problem..my problem is good search which will give to me the comparison of volume data..avg and 10% higher

thanks

alert when an increase of indexed data more than 10%

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life