Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why my alert condition doesn't work?

philip_wong
Communicator
‎05-04-2015 02:39 AM

I'm creating an alert to notify me when license pool usage is over 90% of defined pool size.

Firstly, I wrote the alert search and condition like this. But I couldn't get anything when it's over 90%.

Search: index=_internal source=*license_usage.log type=Usage | eval used_gb=round(b/1024/1024/1024,2) | eval total_gb=poolsz/1024/1024/1024 | stats sum(used_gb) as used_gb first(total_gb) as total_gb by pool | eval percentage=round(used_gb/total_gb*100,2)
Condition: if custom condition is met "search percentage>=90"

After that, I change to this and it works!

Search: index=_internal source=*license_usage.log type=Usage | eval used_gb=round(b/1024/1024/1024,2) | eval total_gb=poolsz/1024/1024/1024 | stats sum(used_gb) as used_gb first(total_gb) as total_gb by pool | eval percentage=round(used_gb/total_gb*100,2) | where percentage>=90
Condition: if number of events larger than 0

Anyone can tell what's the difference?

Thanks!

0 Karma
Reply

MuS
Legend
‎05-04-2015 02:48 AM

Hi philip.wong,

What version of Splunk are you using? Starting from Version 6.2 you can use the Distributed Management Console which has all kind of different alerts pre configured http://docs.splunk.com/Documentation/Splunk/latest/Admin/Platformalerts and it contains a license alert :

Total license usage near daily quota    
Fires when you have used 90% of your total daily license quota.

No need to re-invent the wheel 😉

btw, you should use where to compare two fields and their value and not to compare a field with a string, see this answer https://answers.splunk.com/answers/128739/difference-between-where-and-search-commands.html

Have you tested it with only percentage>=90 in the custom condition?

Hope that helps ...

cheers, MuS

Reply

philip_wong
Communicator
‎05-04-2015 03:43 AM

We can't omit search/where in custom condition. But you raised a good point "where" is for boolean comparasion.
I checked to where percentage >= 90, it works now!

We're still running 6.1.6. It's good to know Splunk has this come with 6.2!

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...