how to setup a triggered alert on a index based on usage?

New Member

Hello, I would like to setup ongoing alert to be triggered anytime an index ingests 20gb of logs. This is to prevent a license violation due to developers turning on debug mode and leave it one resulting in a lot of unnecessary logs after the issue is resolved. Thank you!

0 Karma

Revered Legend

You can use Splunk's license usage log to do so.
This will check current day's usage till current time. You'll receive an alert soon after index's today's usage is over 20GB. You can run this search every hour OR every 15 minutes, depending upon how quickly you want to get reported.
For a specific index-

index=_internal sourcetype=splunkd component=LicenseUsage idx="yourIndexName" earliest=@d
| stats sum(b) as Usage | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20

Generic for any index using (will give list of all indexes whose total license usage for day is over 20GB.

index=_internal sourcetype=splunkd component=LicenseUsage earliest=@d
| stats sum(b) as Usage by idx | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...