Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why my alert condition doesn't work?

philip_wong
Communicator
‎05-04-2015 02:39 AM

I'm creating an alert to notify me when license pool usage is over 90% of defined pool size.

Firstly, I wrote the alert search and condition like this. But I couldn't get anything when it's over 90%.

Search: index=_internal source=*license_usage.log type=Usage | eval used_gb=round(b/1024/1024/1024,2) | eval total_gb=poolsz/1024/1024/1024 | stats sum(used_gb) as used_gb first(total_gb) as total_gb by pool | eval percentage=round(used_gb/total_gb*100,2)
Condition: if custom condition is met "search percentage>=90"

After that, I change to this and it works!

Search: index=_internal source=*license_usage.log type=Usage | eval used_gb=round(b/1024/1024/1024,2) | eval total_gb=poolsz/1024/1024/1024 | stats sum(used_gb) as used_gb first(total_gb) as total_gb by pool | eval percentage=round(used_gb/total_gb*100,2) | where percentage>=90
Condition: if number of events larger than 0

Anyone can tell what's the difference?

Thanks!

0 Karma
Reply

MuS
Legend
‎05-04-2015 02:48 AM

Hi philip.wong,

What version of Splunk are you using? Starting from Version 6.2 you can use the Distributed Management Console which has all kind of different alerts pre configured http://docs.splunk.com/Documentation/Splunk/latest/Admin/Platformalerts and it contains a license alert :

Total license usage near daily quota    
Fires when you have used 90% of your total daily license quota.

No need to re-invent the wheel 😉

btw, you should use where to compare two fields and their value and not to compare a field with a string, see this answer https://answers.splunk.com/answers/128739/difference-between-where-and-search-commands.html

Have you tested it with only percentage>=90 in the custom condition?

Hope that helps ...

cheers, MuS

Reply

philip_wong
Communicator
‎05-04-2015 03:43 AM

We can't omit search/where in custom condition. But you raised a good point "where" is for boolean comparasion.
I checked to where percentage >= 90, it works now!

We're still running 6.1.6. It's good to know Splunk has this come with 6.2!

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...