To calculate the indexing volume for the day use:
index=_internal group=per_index_thruput earliest=@d | stats sum(kb) as KB_indexed
Then schedule this search with the custom criteria: "where KB_indexed > 1000000 | stats count | where count > 0"
This will alert you whenever the volume is more than 1GB for the day.
To calculate the indexing volume for the day use:
index=_internal group=per_index_thruput earliest=@d | stats sum(kb) as KB_indexed
Then schedule this search with the custom criteria: "where KB_indexed > 1000000 | stats count | where count > 0"
This will alert you whenever the volume is more than 1GB for the day.
I don't understand. Why is my
_internal = 3263.3 M
main = 2022.4599 M
Aren't licenses based off of the "main" indexer? If so, shouldn't I be trying to total up the main indexer instead of the "_internal"?
(fwiw - trying to run the aforementioned query with the main indexer does not work, and the main indexer is extremely slow when trying to look through everything)
Please advise.
Thanks!
Sean
where KB_indexed > 1000000 | stats count | where count > 0
The "where" clause was missing. My bad.
KB_indexed > 1000000 | stats count | search count > 0
Sean, what is the exact custom criteria that you're trying?
Thanks for the help Lowell, but I am running into a similar issue:
Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'kb' is unknown. You might not have permission to run this operation.
Why does it not recognize the "kb" from the original search?
Thanks,
Sean
Try where KB_indexed > 1000000 | stats count | search count > 0
Thanks for the help. The query appears to work as expected, but when I try to add the custom criteria you provided above, I receive the following Error:
Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'count' is unknown. You might not have permission to run this operation.
What I have as my Customer Criteria:
where KB_indexed > 1000000 | stats count | count > 0
Any ideas what steps are needed to correct the error above?
Thanks,
Sean