Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to set up my Splunk cluster to alert me once I've indexed 4GB per day?

sympatiko
Communicator
‎03-03-2015 03:35 AM

Hi,

Is there a way to set my splunk cluster to alert me once I'm already indexing 4GB per day? I have a 5gb license. I just want to be alert before I exceed the allowed indexed per day.

BTW, my setup is RF=3 SF=3

Thanks,

0 Karma
Reply

linu1988
Champion
‎03-03-2015 04:08 AM

Hi Eddel,
Use the below one as an alert to get notified on your license Master.

index=_internal source=*license_usage.log type=Usage earliest=-0d@d | stats sum(b) as tot | eval GB=tot/1024/1024/1024 |table host,GB| where GB > 4

OR
Quicker

| rest /services/licenser/pools|where stack_id="enterprise" |eval used_bytes=used_bytes/(1024*1024*1024)|table splunk_server,used_bytes|where used_bytes >4|eval used_bytes=used_bytes." GB"|rename used_bytes as "Usage"

Thanks,
L

0 Karma
Reply

MuS
Legend
‎03-03-2015 03:59 AM

Hi sympatiko,

if you're on Splunk 6.2 use the DMC (Distributed Management Console) which has predefined alerts for this. It is called DMC Alert - Total License Usage Near Daily Quota and needs to be enabled. Read more in the docs here http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Platformalerts

If you're on pre Splunk 6.2 take a look at the docs here http://docs.splunk.com/Documentation/Splunk/6.0/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...