Getting Data In

How to receive alert when number of kbps of indexed data exceeds a certain value

DyJohnnY
Explorer

Hi,

Is there a way to have this search do following: get me all sources that related to windows (win*) - then calculate the total, if the total is greater than 10kbps - send alert. I also want the search to create a stacked report

My search string is this:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all

the custom search condtion is

Where Total>10

I ran this task as scheduled and I'm getting all the results, not just the ones above 10k. If I run this in the search box I get the correct results:

index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all | where Total>10

but I don't know how to implement it using saved searches, and have it triggered if I actually have some results (splunk lets me trigger it if I get a certain number of events, not "results")

thanks

0 Karma
1 Solution

Lowell
Super Champion

You should be able to use your second search, and simply use the following following in the Alert Conditions section:

perform actions: "if number of events"
"is greater than"
"0"

In this case number of "events" means number of results.

View solution in original post

Lowell
Super Champion

You should be able to use your second search, and simply use the following following in the Alert Conditions section:

perform actions: "if number of events"
"is greater than"
"0"

In this case number of "events" means number of results.

DyJohnnY
Explorer

Great, didn't know you could do that, will give it a try.

0 Karma
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...