I am looking for help to see how i can have my current alert, which emails me that our quota is 75% full, to also present in my email the top 10 offenders of logging.
Is that possible?
Currently my search i'm using to show a 30G quota being 75% full is:
index=_internal source="license_usage.lo" type=Usage pool="Linux Pool" earliest=@d| stats sum(b) as bytes | eval gb=bytes/1024/1024/1024|where gb>=22
Is there a way on the search to also have it show the top offenders, such as
index = * | tp limit=10 host
Try like this
index=_internal source="license_usage.lo" type=Usage pool="Linux Pool" earliest=@d
| stats sum(b) as usageGB by h
| eval usageGB =usageGB/1024/1024/1024
| eventstats sum(usageGB) as TotalUsage
| sort 10 UsageGB|where TotalUsage>=22