Alerting

Alerts on license usage for Splunk 6.1

athorat
Communicator

Hi Folks,

I am using the query to get the data indexed per day

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

And want to trigger an email when the indexed data reaches 20GB.
in custom condition I am using

where sum(GB) > 20

I am not getting an email for this alert.
Not sure what's going wrong about this one.Getting emails for other alerts.
Is the query correct?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi athorat,

Well, if you run this search directly in Splunk like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) | where sum(GB) > 20

You will get a nice error message:

 Error in 'where' command: The 'sum' function is unsupported or undefined.

But, if you run it like this:

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum | where sum > 20

all works as expected.

Hope that helps ...

cheers, MuS

athorat
Communicator

What is the path of this file?

0 Karma

athorat
Communicator

Hey MuS,

thanks for the reply.
So my query in the search is

  index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB)

and when I Save it as a alert I use

where sum(GB) > 20
So I am not getting the error which you mention its just that the email is not triggered nor do I see the alert being triggered.

Thanks,
Anil.

0 Karma

MuS
SplunkTrust
SplunkTrust

yes, the reason why you get no email nor the alert is triggered is that where sum(GB) > 20 does not work. So change it like I said and it will run 😉

0 Karma

athorat
Communicator

so I changed the query as per your suggestions

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats  sum(GB) AS sum

and in the alerts I am supposed to put the Custom condition which I did, still does not trigger the alret.

where sum > 20

I am not sure If I have the query right.

0 Karma

MuS
SplunkTrust
SplunkTrust

the query looks good, you probably are not over 20Gb yet. So change it to a lower number like 1Gb

0 Karma

athorat
Communicator

The data shows its more than 22 GB.
Cant attach a snapshot here.

0 Karma

MuS
SplunkTrust
SplunkTrust

can you paste the config for this alert from savedsearches.conf please?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...