Hi All, I'm working hard to create a SIEM dashboard that has the AH list: higher priority :1)ab 2)CD 3)if 4)GH rest of the AH: 5)IJ 6)kl 7)MN for each of these systems, I need a list of hosts associated with the AH and what is currently being ingested from the AH.   ... View more

I'm working on splunk data feed outage alert: The following data feed has been detected down: Index=a  sourcetype=splunkd  host=b. Is there someone can point me to the right direction of troubleshooting this issue. Thanks a lot. ... View more

Hi Folks, I can't see what would have caused the false alert to triggered: when I checked this directory I can see plenty of space : Size: 500g   Used: 9.6g   Avail: 491g  use%: 2% the query looks like this: index=a sourcetype=b  MountedON="d" PercentUsedSpace >  90 | stats latest(PercentUsedSpace) as PercentUsedSpace latest(Avail) as Avail latest(Used) as Used latest(UsePct) as UsePct by MountedON | fields MountedON UsePct Used Avail | rename MountedON as "Mount" UsePct as "Percent Used" Used as "Used Space" Avail as "Available Space"   ... View more

Hi Everyone, I run into an issue today in SIT where TIV0 was inaccessible because a similar directory was full. I'm trying to set one alert for DEV and one for SIT and the folder path for each environment is : DEV:/mms/ora1200/u00/oracle. SIT:/mms/ora1201/u00/oracle. this is what i have so far : index=A "/mms/ora1200/u00/oracle" source= B | stats latest(storage_used*) as storage_used* latest(storage_free*) as storage_free* by host mount | where storage_used_percent>90 | eval storage_used=if(storage_used>1000,(storage_used/1000). " GB" ,storage_used+" MB"), storage_free=if(storage_free>1000, (storage_free/1000, (storage_free/1000). " GB", storage_free+" MB") Any feedback will be appreciated.   ... View more

I need to create a Splunk alert that will trigger when storage on /vi/vip_pdh/00d for a host reaches at least 90% capacity. index=A sourcetype=B   /vi/vip_pdh OR /var/log  earliest=-2h | eval UsePct=rtrim(UsePct,"%") | stats latest(UsePct) as UsePct by MountedOn host. Just a Slight correction, I want to monitor both /vi/vip_pdh and /var/log. Thanks! ... View more

Hi Folks,  I'm looking into a blackouts alert that weren't working properly, and the alerts fire for jobs that should be blacked out(ERROR: While inserting Into spm_Delta at line 590 /ERROR DESCRIPTION: ORA-0001 deadlock detected while waiting for resources). Is there anybody can help point me where I should start to fix this problem please. Thanks! ... View more

Hi Guys, my question is  Can priority (the regular P1/P2/P3 column) and job alias from the pw_map lookup be added to this alert as additional columns? I’ve recently started seeing some ingest issues with a few queues, and these columns would help with escalation and determining downstream impacts. ... View more

  How to filter a query? ... View more