Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Additional alerts for Oracle for file system Approching Maximum Capacity?

majilan1
Path Finder
‎10-13-2022 01:59 PM

Hi Everyone,

I run into an issue today in SIT where TIV0 was inaccessible because a similar directory was full.

I'm trying to set one alert for DEV and one for SIT and the folder path for each environment is :

DEV:/mms/ora1200/u00/oracle.

SIT:/mms/ora1201/u00/oracle.

this is what i have so far :

index=A   "/mms/ora1200/u00/oracle"  source= B

| stats latest(storage_used*) as storage_used*  latest(storage_free*) as storage_free* by host mount

| where storage_used_percent>90

| eval storage_used=if(storage_used>1000,(storage_used/1000). " GB" ,storage_used+"  MB"),  storage_free=if(storage_free>1000, (storage_free/1000, (storage_free/1000).  " GB", storage_free+" MB")

Any feedback will be appreciated.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2022 11:39 PM

Hi @majilan1,

what is the result of your search?

does it run or not?

if not, what's the output?

Anyway I see thet you used a field "storage_used_percent" in the where command that isn't present in the stats command: after a stats command you have only the fields present in the command itself, in other words you don't have the field "storage_used_percent".

you have to calculate it from the fields you have using eval or, if present, to add it to the stats command.

index=A   "/mms/ora1200/u00/oracle"  source= B
| stats 
   latest(storage_used*) as storage_used*
   latest(storage_free*) as storage_free*
   latest(storage_used_percent) AS storage_used_percent
   BY host mount
| where storage_used_percent>90
| eval 
   storage_used=if(storage_used>1000,(storage_used/1000)." GB",storage_used+"  MB"),
   storage_free=if(storage_free>1000,(storage_free/1000,(storage_free/1000).  " GB", storage_free+" MB")

Ciao.

Giuseppe

 

0 Karma
Reply

majilan1
Path Finder
‎10-14-2022 05:45 AM

My query does run, but it generates 0 events, I tried yours and is the samething.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...