I need to write a Splunk alert to check number of connections on a server. Using below Linux command I can get the results on the server. But help me out in creating an alert on Splunk with the command.
ps -ef | grep '[s]shd' | grep -v ^root | grep -i file* | wc -l
That's a pretty straightforward query in Splunk. However, do you have the equivalent to "ps -ef" logged in Splunk? If not, then the alert won't work.
Another option is to create a scripted input that executes that CLI command and logs the result in Splunk. Then you can alert on it.