Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Additional alerts for Oracle for file system Approching Maximum Capacity?

majilan1
Path Finder
‎10-13-2022 01:59 PM

Hi Everyone,

I run into an issue today in SIT where TIV0 was inaccessible because a similar directory was full.

I'm trying to set one alert for DEV and one for SIT and the folder path for each environment is :

DEV:/mms/ora1200/u00/oracle.

SIT:/mms/ora1201/u00/oracle.

this is what i have so far :

index=A   "/mms/ora1200/u00/oracle"  source= B

| stats latest(storage_used*) as storage_used*  latest(storage_free*) as storage_free* by host mount

| where storage_used_percent>90

| eval storage_used=if(storage_used>1000,(storage_used/1000). " GB" ,storage_used+"  MB"),  storage_free=if(storage_free>1000, (storage_free/1000, (storage_free/1000).  " GB", storage_free+" MB")

Any feedback will be appreciated.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2022 11:39 PM

Hi @majilan1,

what is the result of your search?

does it run or not?

if not, what's the output?

Anyway I see thet you used a field "storage_used_percent" in the where command that isn't present in the stats command: after a stats command you have only the fields present in the command itself, in other words you don't have the field "storage_used_percent".

you have to calculate it from the fields you have using eval or, if present, to add it to the stats command.

index=A   "/mms/ora1200/u00/oracle"  source= B
| stats 
   latest(storage_used*) as storage_used*
   latest(storage_free*) as storage_free*
   latest(storage_used_percent) AS storage_used_percent
   BY host mount
| where storage_used_percent>90
| eval 
   storage_used=if(storage_used>1000,(storage_used/1000)." GB",storage_used+"  MB"),
   storage_free=if(storage_free>1000,(storage_free/1000,(storage_free/1000).  " GB", storage_free+" MB")

Ciao.

Giuseppe

 

0 Karma
Reply

majilan1
Path Finder
‎10-14-2022 05:45 AM

My query does run, but it generates 0 events, I tried yours and is the samething.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...