I am using below query to find size of index , how can I modify it to alert me if index is getting more than 10 GB of incoming data
index=_internal [set_local_host
] source=license_usage.log type="Usage" idx="*"| eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals
@rashi83 ,
Set the time range according to your requirement (1 day, 6 hour,etc)
index=_internal [`set_local_host`] source=*license_usage.log type="Usage" idx="*"
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=10
@rashi83 ,
Set the time range according to your requirement (1 day, 6 hour,etc)
index=_internal [`set_local_host`] source=*license_usage.log type="Usage" idx="*"
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=10
thank you