https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484846#M193469 <P>The cluster master dashboard shows status of indexers (via REST call). You can setup an alert to which can query the indexer status at an interval and notify you when the status changes to AutomaticDetention. See this for rest api endpoint details.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTcluster#cluster.2Fmaster.2Fpeers">https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTcluster#cluster.2Fmaster.2Fpeers</A></P> <P>In search query you could do something like this (run on cluster master node)</P> <PRE><CODE>| rest splunk_server=local /services/cluster/master/peers | table title label status | where status="AutomaticDetention" </CODE></PRE> Mon, 02 Mar 2020 16:25:07 GMT somesoni2 2020-03-02T16:25:07Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484845#M193468 <P>Im not seeing any way Splunk will notify regarding automatic detention, which usually happens because of disk space issues</P> Mon, 02 Mar 2020 13:42:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484845#M193468 jpillai 2020-03-02T13:42:44Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484846#M193469 <P>The cluster master dashboard shows status of indexers (via REST call). You can setup an alert to which can query the indexer status at an interval and notify you when the status changes to AutomaticDetention. See this for rest api endpoint details.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTcluster#cluster.2Fmaster.2Fpeers">https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTcluster#cluster.2Fmaster.2Fpeers</A></P> <P>In search query you could do something like this (run on cluster master node)</P> <PRE><CODE>| rest splunk_server=local /services/cluster/master/peers | table title label status | where status="AutomaticDetention" </CODE></PRE> Mon, 02 Mar 2020 16:25:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484846#M193469 somesoni2 2020-03-02T16:25:07Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484847#M193470 <P>If looking for Splunk disk space issue, you can use your monitoring console for space details </P> <P>Splunk &gt;&gt; Setting &gt;&gt; Monitoring Console &gt;&gt; Indexing &gt;&gt; Volume Detail Instance</P> <P>or try below mentioned SPL</P> <PRE><CODE>| rest /services/server/status/partitions-space | eval usage = capacity - free | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_usage by splunk_server, mount_point </CODE></PRE> <HR /> <P>If you want to monitor Space issue in non-Splunk instances, try onboarding perfmon logs, onboarding details are on below mentioned Splunk answer </P> <P><A href="https://answers.splunk.com/answers/454999/how-to-develop-a-search-to-find-free-disk-space-us.html">https://answers.splunk.com/answers/454999/how-to-develop-a-search-to-find-free-disk-space-us.html</A></P> <PRE><CODE>index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) |dedup host | eval FreeSpace=(Value/1024) | eval GB=tostring(FreeSpace,"commas") | table host instance GB | sort + host instance | rename instance as "Drive Letter" GB as "GigaBytes Free" </CODE></PRE> Mon, 02 Mar 2020 16:30:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484847#M193470 sumanssah 2020-03-02T16:30:09Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484848#M193471 <P>Thank you for the quick responses, I will certainly check on this and let you know. But it is a shame there is no better/obvious ways to do this in Splunk, given this is an important event.</P> Mon, 02 Mar 2020 17:24:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484848#M193471 jpillai 2020-03-02T17:24:29Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484849#M193472 <P>@somesoni2 This is exactly what I was looking for, once I found there is no user friendly way of doing it. I have setup an alert with this on the master. Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 03 Mar 2020 04:42:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/484849#M193472 jpillai 2020-03-03T04:42:05Z https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/555235#M193473 <P>Hi</P><P>I think that the easiest way to get this is an activate MC's Alert: "DMC Alert - Abnormal State of Indexer Processor". Then it informs you e.g. with email that there is issue with indexer.</P><P>r. Ismo</P> Thu, 10 Jun 2021 07:10:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-notified-for-indexer-automatic-detention/m-p/555235#M193473 isoutamo 2021-06-10T07:10:49Z