Skip to main content
Sumo Logic

Lab 6: Alerting when Data Ingest Reaches 50 Percent Threshold

  1. Last updated
  2. Save as PDF
This lab shows an example query used to alert when data ingestion reaches 50% of a threshold.
Create an alert that will notify you when your data usage has reached a certain threshold.

 

  1. Note that as a prerequisite, this solution requires enabling the Data Volume Index to capture more detail information about your daily data ingest.

  2. Note that the query below will only return results if it meets the threshold of 0.5. You can comment out the where clause to test query for all your Collectors.

  3. Ideally, you can schedule this query to run every 4 hours, with a time range of Today.

_index=sumologic_volume

| where _sourceCategory="collector_volume"

| parse regex "\"(?<collector>[^\"]+)\"\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi

| bytes/1024/1024/1024 as gbytes

| sum(gbytes) as gbytes by collector

| total gbytes as todays_volume

| "100" as plan_size //replace with your daily plan limit

| gbytes / todays_volume as collector_pct_of_todaysvolume

| todays_volume / plan_size as todaysvolume_against_plan

| where todaysvolume_against_plan > .002 //replace with desired threshold

| sort gbytes

| fields collector, gbytes, collector_pct_of_todaysvolume, todays_volume, plan_size, todaysvolume_against_plan