Hello @HansK  Did you find a solution for Deleting the Alert? I have the same issue, yet not resolved. best regards Altin ... View more

well done HansK ... View more

Hi Just an update, our splunk was upgraded to 6.2.3 recently and it broke our SSO. we had to use appServerPorts = 0 option for time being. Thank you ... View more

My best suggestion is to use summary indexing periodically. If you want it in realtime, you're going to need to optimize splunk as much as possible. I also recommend setting up index-time field extraction to help too. ... View more

In order for that sum to work you first need to rename the result of your timechart. Switch to the table view instead of the graph to better understand this. The columns listed there is what eval can use as input. Once you correctly eval yourself a new field it automagically becomes a column there, and will automagically appear in the timechart. ... View more

hmm, still alerting when there are 10 occurence of any DN, not when a single DN is >10 ... View more

I don't believe you can add another line but you could modify the placement of the warning indicator (although it won't be dynamic) Here's the link to the available properties for the gauges(Advanced XML) http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/CustomChartingConfig-ChartLegend#fillergauge ~Kate ... View more

No problem, @HansK. Could you click the checkmark to accept the answer? ... View more

I think the sourcetype was the key. Once the backlog has cleared I would suggest backing off the max_fd to a value in the hundreds as too high a value could well affect performance. As you know the max_fd defines the maximum number of file descriptors that Splunk will keep open, to capture any trailing data from files that are written to very slowly. You should see if you are hitting the max_fd limit as there will be errors in the splunkd.log TailingProcessor - File descriptor cache is full (100), trimming.. ... View more