Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk indexing volume by index alert

splunkiscool1
Engager
‎04-12-2013 11:06 AM

Hello,

I would like to get an alert if the indexing volume for an index drops.

I'm thinking something similar this, but I'm not sure how to translate it to Splunk's language:

if (yesterday's total indexing volume for EACH index) is at least 20% less than (the average daily indexing volume for EACH index over -2 to -7 days) then (alert)

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:34 PM

Starting with the index volume query from the Status menu in Search you can build this:

index=_internal source=*metrics.log group=per_index_thruput | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume < avg_volume * 0.8

Run over -7d@d to @d and alert whenever this yields a result.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:34 PM

Starting with the index volume query from the Status menu in Search you can build this:

index=_internal source=*metrics.log group=per_index_thruput | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume < avg_volume * 0.8

Run over -7d@d to @d and alert whenever this yields a result.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2013 05:51 AM

Yesterday was Sunday, the where is hence looking for a day that was filtered out in the main search.

0 Karma
Reply
Solved! Jump to solution

splunkiscool1
Engager
‎04-15-2013 05:24 AM

index=_internal source=*metrics.log group=per_index_thruput (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday) | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume > avg_volume * 0.8

I get no results whether I have a < or >. When removing the (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday) I do get results with the original search from your first post

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2013 05:08 AM

Append this to the main search:

(date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
0 Karma
Reply
Solved! Jump to solution

splunkiscool1
Engager
‎04-15-2013 04:56 AM

Thanks martin!

I'm trying to figure out how to specify weekdays only(as this will trigger every weekend how it is now, because I have an expected large drop in volume during the weekend).

So, I would like to just ignore weekends, and only run the search throughout the week, but the average should only be calculated with weekdays as well.

I see in Splunk Documentation how to specify a specific day of the week, but how could I specify to go 7 days back, but only average the weekdays?

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...