How to create an email alert when Data usage is reached 75% and 90%

Comments

1 comment

  • Avatar
    Latimer Luis

    There are various methods you can use to set up data ingest alerts on your account. One of the more straight-forward ways of configuring an alert is by doing what you've noted above, which is to send an E-Mail when your account reaches a certain pre-determined threshold. 

    In order to set up these alerts, you will first need to enable the data volume index to start collecting more detailed statistics about your ingest. After enabling this index, I'd advise you to wait a full 24 hours before setting up your alert. 

    The sample query below will only return values when the threshold is met. You should configure your alert so that it's triggered only when more than "0" results are returned. When the threshold value is met or crossed, a list of collectors will be included in the E-Mail body and the "chattier" collectors will be ranked ahead of the others. I would recommend  that you schedule this alert to run every four hours or so and to select the time-range of "Today."

    _index=sumologic_volume
    | where _sourceCategory="collector_volume"
    | parse regex "(?<collector>\"[^\"]*\")\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
    | bytes/1024/1024/1024 as gbytes
    | sum(gbytes) as gbytes by collector
    | total gbytes as todays_volume
    | "200" as plan_size //replace with your daily plan limit
    | gbytes / todays_volume as collector_pct_of_todaysvolume
    | todays_volume / plan_size as todaysvolume_against_plan
    | where todaysvolume_against_plan > .9 //replace with the percentage threshold you're wanting to alert on
    | sort gbytes
    | fields collector, gbytes, collector_pct_of_todaysvolume, todays_volume, plan_size, todaysvolume_against_plan

     

    NOTE: Please adjust the plan_size and thresholds accordingly. Please look for the comments in the sample query above. 

    Thanks,
    Latimer 

Please sign in to leave a comment.