Re: Alert

uagraw01 · ‎12-28-2020

Hello Members,

I need some suggestions and help. As per my screenshot we can see my events is skipped from 7:17 pm to 8:17 pm. So because of that user complaint for not getting any alerts during that period. Please suggest me how can i further troubleshoot this issue and find out the reason.

richgalloway · ‎12-28-2020

Verify Splunk was running at the time.

Check the Monitoring Console for skipped searches around 8:17.

---
If this reply helps you, Karma would be appreciated.

uagraw01 · ‎12-28-2020

@richgalloway Our application is on Heavy forwarder. And i can see skipped event on HF as showned below and we are using splunk cloud. So please suggest me how can verify exactly with the event .

And how can i maintain my infrastructure HF. If any documents please share with me. Because i need to create an alert when the event count is less in HF then that alert will trigger.

richgalloway · ‎12-28-2020

There is nothing "shown below".

If you're seeing skipped searches then you need to find the cause of the skips and remedy it. Most often the cause is too many searches trying to run at the same time. Changes the schedules of your saved searches and alerts so you don't have too many running at once.

Heavy forwarders should not be running searches at all. They should be running on your cloud or hybrid search head.

---
If this reply helps you, Karma would be appreciated.

Alert

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases