Splunk Search

Creating an alert for daily indexed volume for 4.2.x

williamsweat
Path Finder

Hello,

I want to create a saved search that will send an email with a report on daily index volumes to know when I'm close to a license violation.

I've looked at the documentation but the search given no longer works in 4.2 (and can't track the new fields yet. I'm aware of the deployment app, but I need something that will send out an email alert to a distribution list to send early warnings.

Do you have a search query available? Or know which fields in the _internal index I can use?

Thanks

0 Karma
1 Solution

jlaw
Splunk Employee
Splunk Employee

kristian_kolb
Ultra Champion

The following search seem to work much faster, and the results are close enough - there may be some small rounding effects, but nothing significant. It's based on the searches used by the Deployment Monitor. It does not take the advanced licensing stacking, pooling etc into account. It will just give you a simple table of the amount indexed by indexer.

I did put a "where" statement in to filter out the search head itself, which also poplulates the summary index, but it's only a couple of kb, so it just clutters the report (the poster said he wanted an early warning system - not correctness down to the *n*th decimal).

index="summary_indexers" |  bucket _time as day span=d | eval gb=kb/1048576 | eval Date = strftime(day, "%b %d, %Y - %A")| stats sum(gb) as GB by my_splunk_server, Date | eval GB=round(GB,2)| where GB > "0.01" |eventstats sum(GB) as SumDailyGB by Date

This has been tested on a 1 search head - 1 indexer setup, so your results may differ.

Not sure if this would really help you, but you could always play around with it a little. Below a simpler version just giving you the basics.

index="summary_indexers" | eval GB=kb/1048576 | eval GB=round(GB,2)| timechart span=1d sum(GB) by my_splunk_server | addtotals 

Kristian

0 Karma

jlaw
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...