Solved: How do I set up my real-time alert to trigger when...

Abilan1 · ‎08-20-2015

Hi,

We are using splunk 6.2 and I wanted to set up the alert once License usage has crossed 80%. So I have referred to this page from Splunk documentation.

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples

Below is my search and is working in search, but if set up the alert in real-time (per result), I am not receiving the alert and it is not listing in triggered alerts. Not sure what the issue is with the search below. Please help me here.

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used" | where '% used' > 80

jensonthottian · ‎08-20-2015

It should work if its working in search ,
your alert conditions are they set as - Trigger Condition: Number of Results is > 0

View solution in original post

jensonthottian · ‎08-20-2015

It should work if its working in search ,
your alert conditions are they set as - Trigger Condition: Number of Results is > 0

Abilan1 · ‎08-20-2015

Hi,
I have set up in real time search (per result). Even it is not showing in triggered alert also. not sure why it is..

Abilan1 · ‎08-20-2015

Hi ,

If I set up this alert in real time, it is not working as expected. If I set up as Scheduled then it working fine. I have configured in Cron Schedule and it is good now.

Thank you!!!

jensonthottian · ‎08-20-2015

Good to know it works for you as scheduled alert. I will try real time as well at my end.

How do I set up my real-time alert to trigger when license usage is greater than 80%?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases