Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to setup alert to send an email when daily indexing volume limit is exceeded?

kavraja
Path Finder
‎09-07-2014 06:35 PM

Hey there,

I'm trying to set up a custom alert that would send out an email whenever the daily indexing volume is exceeded. The search I am running is:

index=_internal metrics kb group="per _index _thruput" series!= _*| eval totalGB = (kb / 1024) / 1024 | timechart span=1d sum(totalGB) as total

NB: I've put spaces between "per_index.." and so on so the formatting doesn't get confusing

Which shows how many gigs have been indexed for the day when run as the past 24 hours.

This works fine but my issue is that I can't figure out how to create the custom search that would monitor this search from the start of the day and send an alert when the gigs is above 2 for example.

In the alert option, I have scheduled it to run every hour and put in a custom search condition as "search total > 2". The problem with this is that the search only searches the indexing done for the past hour and not for the whole day. Meaning the results from the alert keep showing up as either 0.3 and so on every hour.

Is there a way I can run the alert every hour but have it take into account the amount indexed for the whole day?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-07-2014 07:00 PM

You can set the time range from @d to now and set a cron schedule of 1 * * * *, which would run the search every hour at one minute past.

Note, Splunk has a better way of calculating the current day's license usage - see Settings -> Licensing -> Usage Report, for example the top right panel "Today's Percentage of Daily License Quota Used per Pool" is basically what you need for your alert. That lists all your license pools along with a percentage used, set the alert to trigger if a pool reaches 90% or whatever you need.
To get the search behind the panel you can just click the magnifying glass in the bottom left corner of the panel, and save that as an alert.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-07-2014 07:00 PM

You can set the time range from @d to now and set a cron schedule of 1 * * * *, which would run the search every hour at one minute past.

Note, Splunk has a better way of calculating the current day's license usage - see Settings -> Licensing -> Usage Report, for example the top right panel "Today's Percentage of Daily License Quota Used per Pool" is basically what you need for your alert. That lists all your license pools along with a percentage used, set the alert to trigger if a pool reaches 90% or whatever you need.
To get the search behind the panel you can just click the magnifying glass in the bottom left corner of the panel, and save that as an alert.

Reply
Solved! Jump to solution

kavraja
Path Finder
‎09-07-2014 07:17 PM

Thanks martin_mueller. It works great!

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...