IT Operations Discussions
All the up-time. All the nines.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert when license consumption reaches 1TB

oliverrojo
Engager
‎05-13-2021 02:07 AM

Hi,

 

What will be my search params if i want an alert when my license consumption reaches 1TB.

 

Thanks!

 

Oliver

0 Karma
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-13-2021 05:39 AM

Hi @oliverrojo 

What you mean?

for example this search check when the license it's over 1000GB in the last 30 day 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] 
| where volume > 1000

and you can add an action on this search.

script ( stop the forwarder sending)

mail (advise a license violation)

if  I don't understand the point please explain better.

Regards

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

0 Karma
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-13-2021 05:50 AM

What have you tried so far?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Solved! Jump to solution

oliverrojo
Engager
‎05-13-2021 08:56 PM

hi @richgalloway ,

 

I'm using below 

 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 |timechart span=1d sum(GB) as "Total GB Used for Today"| fields - bytes  

 

It's shows today's consumption of 400GB but when i try below, it's no longer showing anything.

 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 |timechart span=1d sum(GB) as "Total GB Used for Today"| fields - bytes | where GB > 200

0 Karma
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 05:46 AM

The where clause fails because the query no longer has a GB field.  The timestamp command is a transforming command that returns only the fields in its arguments plus _time.  Try this:

index=_internal source=*license_usage.log type=Usage 
| eval GB=b/1024/1024/1024 
|timechart span=1d sum(GB) as "Total GB Used for Today"
| fields - bytes 
| where 'Total GB Used for Today' > 200

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Solved! Jump to solution

oliverrojo
Engager
‎05-14-2021 10:08 AM

@richgalloway that also worked! Thanks a lot!

 

Oliver

0 Karma
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 10:34 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-13-2021 05:39 AM

Hi @oliverrojo 

What you mean?

for example this search check when the license it's over 1000GB in the last 30 day 

index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] 
| where volume > 1000

and you can add an action on this search.

script ( stop the forwarder sending)

mail (advise a license violation)

if  I don't understand the point please explain better.

Regards

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Solved! Jump to solution

oliverrojo
Engager
‎05-13-2021 09:01 PM

hi, @aasabatini ,

 

Using below search params, it shows my license consumption of the day = 450GB under "Total GB Used for Today" column.

 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 |timechart span=1d sum(GB) as "Total GB Used for Today"| fields - bytes 

 

But my objective is to only alert me if "Total GB Used for Today" shows 1000 (1TB) or greater so i used below just to test if that 450GB will still show but no output.

 

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 |timechart span=1d sum(GB) as "Total GB Used for Today"| fields - bytes | where GB > 200

0 Karma
Solved! Jump to solution

aasabatini
Motivator
‎05-14-2021 12:44 AM

Hi @oliverrojo 

I think the best way to set an alert is use this search based on your search:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 |stats sum(GB) as "GB"| fields - bytes | where GB > 1000 | rename GB as "Total GB Used for Today"

and set the timerange on today

aasabatini_0-1620978201917.png

hope can help

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Solved! Jump to solution

oliverrojo
Engager
‎05-14-2021 10:06 AM

@aasabatini that worked! 

 

Thank you very much!

 

Oliver

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...