https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221139#M64986 <P>Hi,</P> <P>We have 4 indexers and we need to write a search and set up an alert if any of the indexers is down.</P> <P>Can some one please advise on this type of search?</P> <P>Thanks,</P> Wed, 24 Feb 2016 20:29:53 GMT splunker9999 2016-02-24T20:29:53Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221139#M64986 <P>Hi,</P> <P>We have 4 indexers and we need to write a search and set up an alert if any of the indexers is down.</P> <P>Can some one please advise on this type of search?</P> <P>Thanks,</P> Wed, 24 Feb 2016 20:29:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221139#M64986 splunker9999 2016-02-24T20:29:53Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221140#M64987 <P>You probably don't need to write such a search yourself. You should start with the overview dashboard in the Distributed Management Console. It will show you your deployment topology and whether any indexers are down. If you have not configured the Distributed Management Console, see <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/DMC/DMCoverview">the Distributed Management Console</A> documentation.</P> <P>If you are using indexer clustering, the <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Howtomonitoracluster">cluster master dashboard</A> will also show you what indexers are up and down.</P> Wed, 24 Feb 2016 20:46:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221140#M64987 ChrisG 2016-02-24T20:46:26Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221141#M64988 <P>This would be useful to monitor, but we are looking for a alert to be recieved whenever indexer is down?</P> Wed, 24 Feb 2016 20:58:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221141#M64988 splunker9999 2016-02-24T20:58:24Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221142#M64989 <P>But you could set up an alert from the dashboard search, couldn't you?</P> Wed, 24 Feb 2016 21:05:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221142#M64989 ChrisG 2016-02-24T21:05:08Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221143#M64990 <P>We are new to the Splunk and need some assistance, Can you please help us?</P> Wed, 24 Feb 2016 21:10:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221143#M64990 splunker9999 2016-02-24T21:10:56Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221144#M64991 <P>The DMC has preconfigured alerts for what you want. Enable the "Search Peer Not Responding" alert.</P> <P>DMC Alert - Abnormal State of Indexer Processor [edit]<BR /> One or more of your indexers is reporting an abnormal state.</P> <P>DMC Alert - Critical System Physical Memory Usage [edit]<BR /> One or more instances has exceeded 90% memory usage.</P> <P>DMC Alert - Expired and Soon To Expire Licenses [edit]<BR /> You have licenses that expire or will expire within two weeks.</P> <P>DMC Alert - Missing forwarders [edit]<BR /> One or more forwarders are missing.</P> <P>DMC Alert - Near Critical Disk Usage [edit]<BR /> You have used 80% of your disk capacity.</P> <P>DMC Alert - Saturated Event-Processing Queues [edit]<BR /> One or more of your indexer queues is reporting a fill percentage, averaged over the last 15 minutes, of 90% or more.</P> <P>DMC Alert - Search Peer Not Responding [edit]<BR /> One or more of your search peers is currently down.</P> <P>DMC Alert - Total License Usage Near Daily Quota [edit]</P> Wed, 24 Feb 2016 21:18:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-and-alert-if-any-indexers-are-down/m-p/221144#M64991 bmacias84 2016-02-24T21:18:08Z