- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to create an alert to trigger when the lic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create an alert to trigger when the license usage of a heavy forwarder reaches 90%?
Hi...I wanted to know how we can create an alert when the license usage of a "heavy forwarder" reaches a threshold say about 90% of license usage. We want to get alerted when such a thing occurs. Currently I have the following search:
index =_internal source = *license_usage.log* type = Usage earliest=-7d@d latest=now | search h=ftlpsplunkfwd01.citrite.net | eval MB=b/(1024*1024) | eval date=strftime(_time, "%1m/%0d/%Y") | stats sum(MB) as Usage(MB) by date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe something like this:
index=_internal source=*license_usage.log type=Usage earliest=-7d@d latest=now
| search h=ftlpsplunkfwd01.citrite.net
| eval MB=b/(1024*1024)
| eval date=strftime(_time, "%1m/%0d/%Y")
| stats sum(MB) as Usage(MB) by date
| appendcols [
| rest splunk_server=local /services/licenser/stacks
| stats max(quota) as license_limit
| eval license_limitMB = license_limit/1024/1024
| fields license_limitMB
]
| eventstats max(license_limitMB) as license_limitMB
| eval license_usage = round('Usage(MB)'/license_limitMB*100, 2)
| where license_usage > 90
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried running the query but didn't get any statistics..!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not getting a result could be good thing. The denotes that your HF is not exceeding the 90% of total license usage. TO double check the values, just remove the last line and validate the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sir, is there a way (SPL) to be notified when data sent by a HF changes / degrades to for example 15-20 % of the daily sent amount ? Thank u very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind the last line is filtering where license usage > 90% so try tweaking that.
If that doesn't give you any result, try removing the second line (search h=...) and the earliest and latest filters.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
