Archive

Alert if Index is getting more than 10GB of incoming data

rashi83
Explorer

I am using below query to find size of index , how can I modify it to alert me if index is getting more than 10 GB of incoming data

index=_internal [set_local_host] source=license_usage.log type="Usage" idx="*"| eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx | addtotals

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@rashi83 ,

Set the time range according to your requirement (1 day, 6 hour,etc)

index=_internal [`set_local_host`] source=*license_usage.log type="Usage" idx="*"
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=10

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@rashi83 ,

Set the time range according to your requirement (1 day, 6 hour,etc)

index=_internal [`set_local_host`] source=*license_usage.log type="Usage" idx="*"
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=10

View solution in original post

0 Karma

rashi83
Explorer

thank you

0 Karma