Thanks for this, walkeran. This is a much faster and more flexible solution than the previous. However, it's not totally correct. Your search will only produce results if a single indexer in the pool has exceeded the pool allocation. What is needed, is to find if all of the indexers in the pool combined have exceeded the allocation.
Here is the modified solution:
earliest=@d latest=now sourcetype=splunkd index=_internal type=RolloverSummary source=*license_usage.log |stats sum(b) as usage by pool, poolsz| where usage > poolsz|eval usage = usage/1024/1024/1024| eval poolsz = poolsz/1024/1024/1024
... View more
Damien's solution forces you to put an arbitrary number in the search. How can I do this and reference the pool size? I only care if the limit was exceeded and this search needs to automatically adjust if the pool size is adjisted.
Thanks.
... View more
This DOES work, but the documentation is wrong.
Contrary to what is stated here: http://wiki.splunk.com/Community:TroubleshootingAlertScripts and in the README file for each app, you need to put it in etc/apps/ /bin/scripts.
Then, in your alert, don't specify any path, just the name of the script.
... View more