Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to setup a triggered alert on a index based on usage?

user543210
New Member
‎02-07-2020 01:22 PM

Hello, I would like to setup ongoing alert to be triggered anytime an index ingests 20gb of logs. This is to prevent a license violation due to developers turning on debug mode and leave it one resulting in a lot of unnecessary logs after the issue is resolved. Thank you!

0 Karma
Reply

somesoni2
Revered Legend
‎02-07-2020 02:10 PM

You can use Splunk's license usage log to do so.
This will check current day's usage till current time. You'll receive an alert soon after index's today's usage is over 20GB. You can run this search every hour OR every 15 minutes, depending upon how quickly you want to get reported.
For a specific index- 

index=_internal sourcetype=splunkd component=LicenseUsage idx="yourIndexName" earliest=@d
| stats sum(b) as Usage | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20

Generic for any index using (will give list of all indexes whose total license usage for day is over 20GB.

index=_internal sourcetype=splunkd component=LicenseUsage earliest=@d
| stats sum(b) as Usage by idx | eval Usage=round(Usage/1024/1024/1024,2) | where Usage>20
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...