Alerting

how to setup a triggered alert on a index based on usage?

user543210
New Member

Hello, I would like to setup ongoing alert to be triggered anytime an index ingests 20gb of logs. This is to prevent a license violation due to developers turning on debug mode and leave it one resulting in a lot of unnecessary logs after the issue is resolved. Thank you!

0 Karma

somesoni2
Revered Legend

You can use Splunk's license usage log to do so.
This will check current day's usage till current time. You'll receive an alert soon after index's today's usage is over 20GB. You can run this search every hour OR every 15 minutes, depending upon how quickly you want to get reported.
For a specific index-

index=_internal sourcetype=splunkd component=LicenseUsage idx="yourIndexName" earliest=@d
| stats sum(b) as Usage | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20

Generic for any index using (will give list of all indexes whose total license usage for day is over 20GB.

index=_internal sourcetype=splunkd component=LicenseUsage earliest=@d
| stats sum(b) as Usage by idx | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...