Solved: trigger alert if license utilization by an index i...

vikas_gopal · ‎10-01-2021

HI Experts ,

I want to rigger an alert based on below scenario

1) Get license utilization in GB for yesterday and day before yesterday .

2) Show difference in GB and if the difference is increased by 40GB then trigger an alert

Something like below , I want to trigger alert only for line 2 that is for database

index_name	yesterday	day_before_yesterday	diff
application	20GB	10GB	10GB
database	30GB	70GB	40GB
security	40GB	20GB	20GB

vikas_gopal · ‎10-01-2021

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

View solution in original post

vikas_gopal · ‎10-01-2021

Well I have achieved this with below search query , hope this will help someone

Run this from LM

index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d
| eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day
| eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2)
| eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20

trigger alert if license utilization by an index is increased by 50GB comparing to last day

alert condition

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases