Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trigger alert if license utilization by an index is increased by 50GB comparing to last day

vikas_gopal
Builder
‎10-01-2021 03:50 PM

HI Experts ,

I want to rigger an alert based on below scenario

1) Get license utilization in GB for yesterday and day before yesterday .

2) Show difference in GB and if the difference is increased by 40GB then trigger an alert

Something like below , I want to trigger alert only for line 2 that is for database

index_nameyesterdayday_before_yesterdaydiff
application20GB10GB10GB
database30GB70GB40GB
security40GB20GB20GB
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎10-01-2021 05:51 PM

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

View solution in original post

Reply
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎10-01-2021 05:51 PM

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...