On Windows even worse, in Notable Event Aggregation Policy in preview windows i have error :
Error in 'itsirulesengine' command: External search command exited unexpectedly with non-zero error code 1.
java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 1.8.0_241-b07)
Java HotSpot(TM) Client VM (build 25.241-b07, mixed mode, sharing
echo %JAVA_HOME%
C:\Program Files (x86)\Java\jre1.8.0_241\
AV disabled
... View more
You can try adding the following lines to $SPLUNK_HOME/etc/apps/SA-ITOA/local/itsi_notable_event_status.conf:
[2]
end=1
And set "If the number of events in this episode is greater than or equal to 1163" then send alerts in Aggregation Policy Action Rules page. Then you will keep getting alerts until the episode is ack'ed.
Refer to https://docs.splunk.com/Documentation/ITSI/4.3.1/Configure/itsi_notable_event_status.conf
... View more
Hi, @Hemant1 maybe you hit the limit of max of 50K records returned by subsearch, we can change the limit in limits.conf but I encourage you not using join command here , maybe you can use "*stats ... by UserID" instead. You can also refer to https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html.
... View more