Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to send a notification when the my iindexer process through a certain amount of forwarded data

seanlon11
Path Finder
‎05-28-2010 06:29 PM

I want a search that will tell me the total throughput of my indexing server, and then setup a notification if that total amount is more than 1 Gigabyte of data.

Any suggestions?

Thanks, Sean

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-28-2010 07:57 PM

To calculate the indexing volume for the day use:

index=_internal group=per_index_thruput earliest=@d | stats sum(kb) as KB_indexed

Then schedule this search with the custom criteria: "where KB_indexed > 1000000 | stats count | where count > 0"

This will alert you whenever the volume is more than 1GB for the day.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-28-2010 07:57 PM

To calculate the indexing volume for the day use:

index=_internal group=per_index_thruput earliest=@d | stats sum(kb) as KB_indexed

Then schedule this search with the custom criteria: "where KB_indexed > 1000000 | stats count | where count > 0"

This will alert you whenever the volume is more than 1GB for the day.

Reply
Solved! Jump to solution

seanlon11
Path Finder
‎06-07-2010 07:38 PM

I don't understand. Why is my

_internal = 3263.3 M
main = 2022.4599 M

Aren't licenses based off of the "main" indexer? If so, shouldn't I be trying to total up the main indexer instead of the "_internal"?

(fwiw - trying to run the aforementioned query with the main indexer does not work, and the main indexer is extremely slow when trying to look through everything)

Please advise.

Thanks!
Sean

0 Karma
Reply
Solved! Jump to solution

seanlon11
Path Finder
‎06-01-2010 03:37 PM

where KB_indexed > 1000000 | stats count | where count > 0

The "where" clause was missing. My bad.

0 Karma
Reply
Solved! Jump to solution

seanlon11
Path Finder
‎06-01-2010 03:35 PM

KB_indexed > 1000000 | stats count | search count > 0

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-28-2010 10:16 PM

Sean, what is the exact custom criteria that you're trying?

0 Karma
Reply
Solved! Jump to solution

seanlon11
Path Finder
‎05-28-2010 09:18 PM

Thanks for the help Lowell, but I am running into a similar issue:

Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'kb' is unknown. You might not have permission to run this operation.

Why does it not recognize the "kb" from the original search?

Thanks,
Sean

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎05-28-2010 08:29 PM

Try where KB_indexed > 1000000 | stats count | search count > 0

0 Karma
Reply
Solved! Jump to solution

seanlon11
Path Finder
‎05-28-2010 08:05 PM

Thanks for the help. The query appears to work as expected, but when I try to add the custom criteria you provided above, I receive the following Error:

Encountered the following error while trying to save: In handler 'savedsearch': Cannot parse alert condition. Search operation 'count' is unknown. You might not have permission to run this operation.

What I have as my Customer Criteria:

where KB_indexed > 1000000 | stats count | count > 0

Any ideas what steps are needed to correct the error above?

Thanks,
Sean

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...