https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-console-Splunk-Indexer-Serves-status/m-p/500833#M8417 <P>I can see the total number of servers against resource Usage: Deployment:</P> <P>It is showing me 10 out of 12 as two server are out of service due to disk issue.<BR /> below ist he initial search:</P> <PRE><CODE>| rest /services/server/status/partitions-space splunk_server="*-ID-*" | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by splunk_server,mount_point | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)" </CODE></PRE> <P>===============<BR /> below are sample of result:<BR /> splunk_server Mount Point File System Type Disk Usage (GB) Disk Usage (%)<BR /> A /opt/splunk ext4 7 / 8 89.32<BR /> B /opt/splunk ext4 7 / 8 89.32<BR /> C /opt/splunk ext4 7 / 8 89.32<BR /> D /opt/splunk ext4 7 / 8 89.32<BR /> E /opt/splunk ext4 7 / 8 89.32<BR /> F /opt/splunk ext4 7 / 8 89.32<BR /> G /opt/splunk ext4 7 / 8 89.32<BR /> H /opt/splunk ext4 7 / 8 89.32<BR /> I /opt/splunk ext4 7 / 8 89.32</P> <H1>J /opt/splunk ext4 7 / 8 89.32</H1> <P>total number of resutls are 10. whereas actual servers are 12.<BR /> so now I want to trigger the alert if count of result !=12 </P> Wed, 04 Dec 2019 06:27:35 GMT riqbal47010 2019-12-04T06:27:35Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-console-Splunk-Indexer-Serves-status/m-p/500833#M8417 <P>I can see the total number of servers against resource Usage: Deployment:</P> <P>It is showing me 10 out of 12 as two server are out of service due to disk issue.<BR /> below ist he initial search:</P> <PRE><CODE>| rest /services/server/status/partitions-space splunk_server="*-ID-*" | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by splunk_server,mount_point | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)" </CODE></PRE> <P>===============<BR /> below are sample of result:<BR /> splunk_server Mount Point File System Type Disk Usage (GB) Disk Usage (%)<BR /> A /opt/splunk ext4 7 / 8 89.32<BR /> B /opt/splunk ext4 7 / 8 89.32<BR /> C /opt/splunk ext4 7 / 8 89.32<BR /> D /opt/splunk ext4 7 / 8 89.32<BR /> E /opt/splunk ext4 7 / 8 89.32<BR /> F /opt/splunk ext4 7 / 8 89.32<BR /> G /opt/splunk ext4 7 / 8 89.32<BR /> H /opt/splunk ext4 7 / 8 89.32<BR /> I /opt/splunk ext4 7 / 8 89.32</P> <H1>J /opt/splunk ext4 7 / 8 89.32</H1> <P>total number of resutls are 10. whereas actual servers are 12.<BR /> so now I want to trigger the alert if count of result !=12 </P> Wed, 04 Dec 2019 06:27:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-console-Splunk-Indexer-Serves-status/m-p/500833#M8417 riqbal47010 2019-12-04T06:27:35Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-console-Splunk-Indexer-Serves-status/m-p/500834#M8418 <P>Just add this to the bottom:</P> <PRE><CODE>... | eventstats count | where count&lt;12 </CODE></PRE> <P>Then set your alarm trigger for <CODE>Number of results</CODE> and <CODE>Greater than 0</CODE>.</P> Wed, 04 Dec 2019 09:29:50 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-console-Splunk-Indexer-Serves-status/m-p/500834#M8418 woodcock 2019-12-04T09:29:50Z