Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"DM sourcetypes too much data" and "DM missing sourcetypes"

AKG
Path Finder
‎08-21-2013 07:29 PM

Hi

We are getting following Alert and wondering if you could tell us what does this mean and what can we do so that we are not using up licensing quote.

1) DM sourcetypes too much data
2) DM missing sourcetypes

Thank you in advance

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-21-2013 11:41 PM

It shows you that the alerts you have enabled in Deployment Monitor have triggered.

"DM Sourcetypes too much data" informs you of some sourcetypes that have increased in volume when compared to an earlier point in time. Like, "In the last hour we have received 75% more firewall logs than compared with the hour before that".

Conversely, "DM Missing sourcetypes" informs you of some sourcetypes that are not (currently) being received, but they have been before, like "In the last hour we have not received any WindowsEventLogs, but the hour before that, we did".

I don't remember the exact timeslices used for comparison, or the percentage values used as thresholds on too much/too little data. You should check out the landing page of the Deployment Monitor, where these types of message are listed. This is also the place where you can activate alerting on them. Or you can look at the saved searches directly in Manager or the config files.

Hope this helps,

K

Reply

lukejadamec
Super Champion
‎09-18-2013 07:14 PM

DM has been my greatest friend for monitoring which app/server/source etc... was threatening or violating my license limits.
You should use DM to monitor your deployment, and if you see a Particular problem, then post a question with the specifics.

0 Karma
Reply

AKG
Path Finder
‎09-18-2013 06:51 PM

Thanks Guys

0 Karma
Reply

lukejadamec
Super Champion
‎08-25-2013 05:39 PM

It is not possible for us to tell you why your alerts are being triggered other than to say what Kristian already said. However, Splunk is built to tell you why, you just have to search for it. In DM for the alert in question, click on the links associated with the alert to drill into the search.

0 Karma
Reply

lukejadamec
Super Champion
‎08-25-2013 05:34 PM

In DM, and other Apps, "Others" means "the other's of this category that are not listed because of space/preferences". To view the complete list you need to "view data" or view the data set below the chart.

0 Karma
Reply

AKG
Path Finder
‎08-25-2013 04:05 PM

Hi Kristian

Thank you for the reply, yes I have enabled this alert wanted to see how will it work.

Now I know what it does(thanks for the explanation), Now i was wondering if you know how this situation occurs and what we can do to avoid this.

I also notice that there are data coming in listed as a host name "Others" i am guessing this is as you have explained.

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...