What endpoint are you using in the custom action configuration?  I found that if i used something like /api/now/table/incident instead of /api/now/table/x_splu2_splunk_ser_u_splunk_incident(recommended by the alert action gui), I would get new incidents every time.  The downside of using the recommended endpoint is that an intermediate table gets populated in ServiceNow.  The upside is that it does correlations based on the correlation ID sent over from the alert action.  That correlation ID is a hash of the alert name so any future actions that go across to ServiceNow will still correlate under that correlation ID (and originally created incident) and not create new incidents. ... View more

I found a typo in the search and the use of index=* is inefficient so I altered it slightly to use the 'per index thruput' group to get index info from the internal index.  I do see some field dropout in my environment but this works. index="_internal" source="*metrics.lo*" (group=tcpin_connections fwdType=uf) OR group=per_index_thruput | eval hostname=coalesce(hostname,host) | stats values(series) AS index values(version) AS version values(os) AS os BY hostname | table hostname version os index ... View more

As mentioned, save the search as an alert and the threshold would by <1 stats returned would trigger the alert.  A word of caution about monitoring for negatives or low thresholds.  If your data pipelines get backed up, scheduled searches looking for negatives will see little or no data for your search at search time due to a slow pipeline.  This can make you crazy since the pipelines will catch up and you'll be left wondering why splunk is "fibbing" to you.  The truth is at that moment the scheduled search ran, the alert was valid from the search's perspective but looking at it after the fact, all the data will have been filled in.   Caveat emptor ... View more

Are you asking for what you have defined in inputs.conf as far as deny or do you want to find what event codes have been ingested? This question/answer covers the inputs entries related to denies. https://community.splunk.com/t5/Getting-Data-In/How-to-create-more-than-10-blacklists-for-the-same-input/m-p/289583 this search should give you a breakdown of event codes with counts per code. index=wineventlog | stats count by EventCode You'll probably want to expand on that using other fields like source and Name to better understand the codes. ... View more