Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trigger alert if license utilization by an index is increased by 50GB comparing to last day

vikas_gopal
Builder
‎10-01-2021 03:50 PM

HI Experts ,

I want to rigger an alert based on below scenario

1) Get license utilization in GB for yesterday and day before yesterday .

2) Show difference in GB and if the difference is increased by 40GB then trigger an alert

Something like below , I want to trigger alert only for line 2 that is for database

index_nameyesterdayday_before_yesterdaydiff
application20GB10GB10GB
database30GB70GB40GB
security40GB20GB20GB
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎10-01-2021 05:51 PM

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

View solution in original post

Reply
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎10-01-2021 05:51 PM

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...