Solved: Re: Alert to show if a Users data level goves over...

DDewarSplunk · ‎12-12-2017

Afternoon Splunk Gurus

I am trying to create an alert, where as if a users data (Bytes_out) goes over 1GB then I get an email.

So far I can list the users as per below but am now struggling to define only data over 1GB and get the alert to send me an email (Like a table) with user name PC Name Etc Etc

Any help would be really appreciated.

Thanks

D

mayurr98 · ‎12-12-2017

hey @DDewarSplunk

You can define your condition in the query itself and just create an alert

sourcetype="traffic" eventtype="traffic" 
| stats sum(bytes_out) by user src_ip app app:subcategory eventtype
| dedup user, src_ip, app, app:subcategory
| rename sum(bytes_out) as sbo 
| eval "MegaBytes"=((sbo)/1024)/1024 
| fields - sbo
| sort -"MegaBytes" 
| sort -total | where MegaBytes>1024

Let me know if it works!

View solution in original post

mayurr98 · ‎12-12-2017

hey @DDewarSplunk

You can define your condition in the query itself and just create an alert

sourcetype="traffic" eventtype="traffic" 
| stats sum(bytes_out) by user src_ip app app:subcategory eventtype
| dedup user, src_ip, app, app:subcategory
| rename sum(bytes_out) as sbo 
| eval "MegaBytes"=((sbo)/1024)/1024 
| fields - sbo
| sort -"MegaBytes" 
| sort -total | where MegaBytes>1024

Let me know if it works!

DDewarSplunk · ‎12-12-2017

Ahh Thanks....I t I was over thinking \ complicating it !!
Keep it nice and simple is the secret !

Thanks very much Mayurr98

Alert to show if a Users data level goves over 1GB

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life