How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?
I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"
| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"
I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?
I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.
Thanks!
I would suggest to set up (and adjust as needed) the "Total license usage near daily quota" platform alert that ships with the Distributed Management Con....
Build your threshold into your search like this:
... | where "% used" > "50"
Then trigger for if number of results > 0
.
for "condition"
it offers:
if number of events, hosts, sources, or custom.
Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?
thanks woodcock.
Use events
.