- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Alerts on license usage for Splunk 6.1
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerts on license usage for Splunk 6.1
Hi Folks,
I am using the query to get the data indexed per day
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB)
And want to trigger an email when the indexed data reaches 20GB.
in custom condition I am using
where sum(GB) > 20
I am not getting an email for this alert.
Not sure what's going wrong about this one.Getting emails for other alerts.
Is the query correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi athorat,
Well, if you run this search directly in Splunk like this:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) | where sum(GB) > 20
You will get a nice error message:
Error in 'where' command: The 'sum' function is unsupported or undefined.
But, if you run it like this:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) AS sum | where sum > 20
all works as expected.
Hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the path of this file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey MuS,
thanks for the reply.
So my query in the search is
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB)
and when I Save it as a alert I use
where sum(GB) > 20
So I am not getting the error which you mention its just that the email is not triggered nor do I see the alert being triggered.
Thanks,
Anil.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, the reason why you get no email nor the alert is triggered is that where sum(GB) > 20 does not work. So change it like I said and it will run 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so I changed the query as per your suggestions
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) |stats sum(GB) AS sum
and in the alerts I am supposed to put the Custom condition which I did, still does not trigger the alret.
where sum > 20
I am not sure If I have the query right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the query looks good, you probably are not over 20Gb yet. So change it to a lower number like 1Gb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data shows its more than 22 GB.
Cant attach a snapshot here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you paste the config for this alert from savedsearches.conf please?
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
