Getting Data In

How to receive alert when number of kbps of indexed data exceeds a certain value

Explorer

Hi,

Is there a way to have this search do following: get me all sources that related to windows (win*) - then calculate the total, if the total is greater than 10kbps - send alert. I also want the search to create a stacked report

My search string is this:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all

the custom search condtion is

Where Total>10

I ran this task as scheduled and I'm getting all the results, not just the ones above 10k. If I run this in the search box I get the correct results:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all | where Total>10

but I don't know how to implement it using saved searches, and have it triggered if I actually have some results (splunk lets me trigger it if I get a certain number of events, not "results")

thanks

0 Karma
1 Solution

Super Champion

You should be able to use your second search, and simply use the following following in the Alert Conditions section:

perform actions: "if number of events"
"is greater than"
"0"

In this case number of "events" means number of results.

View solution in original post

Super Champion

You should be able to use your second search, and simply use the following following in the Alert Conditions section:

perform actions: "if number of events"
"is greater than"
"0"

In this case number of "events" means number of results.

View solution in original post

Explorer

Great, didn't know you could do that, will give it a try.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!