thanks for the quick reply. This will work just fine 🙂
Thanks again
You can get the current index size using "eventcount" search command. Use following search to get the current index size and add where clause for your threshold index size and set this as a schedule search with alert action as email.
| eventcount summarize=false report_size=true index=YourIndex | eval size_MB=size_bytes/(1024*1024) | eval size_GB=size_MB/1024 | where size_GB > YourThresholdValue
thanks for the quick reply. This will work just fine 🙂
Thanks again