Alerting

How to create an alert to notify me via email when an index goes over 50% of the daily license quota?

agentguerry
Path Finder

How can I set an alert to notify my with a trigger condition for when the % of the index hits or goes above 50 percent for the day?

I am assuming I can use this search, which is from the "Settings>Licensing>Usage Report" page, labeled "Today's Percentage of Daily License Quota used per pool"

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% used"=round(used_bytes/quota*100,2) | fields Pool "% used"

I set it to run every hour, but what would I put for my trigger condition to say, "only email if it's over 50%"?

I am not sure how to use the "Trigger condition", or the "Trigger if number of results" portions.

Thanks!

0 Karma

hexx
Splunk Employee
Splunk Employee
0 Karma

woodcock
Esteemed Legend

Build your threshold into your search like this:

... | where "% used" > "50"

Then trigger for if number of results > 0.

agentguerry
Path Finder

for "condition"

it offers:

if number of events, hosts, sources, or custom.

Would I be choosing 'custom', and then in the
"custom condition search" put , [if number of results > 0]?

thanks woodcock.

woodcock
Esteemed Legend

Use events.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...