Getting Data In
Highlighted

How to receive alert when number of kbps of indexed data exceeds a certain value

Explorer

Hi,

Is there a way to have this search do following: get me all sources that related to windows (win*) - then calculate the total, if the total is greater than 10kbps - send alert. I also want the search to create a stacked report

My search string is this:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all

the custom search condtion is

Where Total>10

I ran this task as scheduled and I'm getting all the results, not just the ones above 10k. If I run this in the search box I get the correct results:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all | where Total>10

but I don't know how to implement it using saved searches, and have it triggered if I actually have some results (splunk lets me trigger it if I get a certain number of events, not "results")

thanks

0 Karma
Highlighted

Re: How to receive alert when number of kbps of indexed data exceeds a certain value

Super Champion

You should be able to use your second search, and simply use the following following in the Alert Conditions section:

perform actions: "if number of events"
"is greater than"
"0"

In this case number of "events" means number of results.

View solution in original post

Highlighted

Re: How to receive alert when number of kbps of indexed data exceeds a certain value

Explorer

Great, didn't know you could do that, will give it a try.

0 Karma