I want to restart a remote Windows service from a Splunk search alert script. How do I pass the server name to the script? Is it possible using PowerShell? Do I need to use the same service account running the splunkforwarder service on the client as is running on the SPlunk search head. ... View more

Yes, I read the http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Definescheduledalerts document, but I'm still somewhat confused with regard to the following: Coordinate the alert's search schedule with the search time range. This prevents situations where event data is accidentally evaluated twice by the search (because the search time range exceeds the search schedule, resulting in overlapping event data sets), or not evaluated at all (because the search time range is shorter than the search schedule). Schedule your alerting searches with at least 60 seconds of delay. This practice is especially important in distributed search Splunk implementations where event data might not reach the indexer precisely at the moment when it is generated. A delay ensures that you are counting all of your events, not just the ones that were quickest to get indexed. So is this basically telling me I should not do less than 6 minute searches (allowing for 60sec delay)? Essentially. I'd like to know if something occurred in the past 5minutes or would the following work? earliest: -5m@m latest: now cron expression: */5 * * * * ... View more

I have the search and alert working and my script will run if I execute it locally, but since the script is running from the Heavy Forwarder I can't get the application(s) to start. runas /profile /env "C:\Program Files (x86)\Notepad++.exe" >> test-restart.txt runas /profile /env "C:\Program Files (x86)\putty\putty.exe" >> test-restart.txt I was trying to get these simple applications to run before working on the production applications. I also wanted to email the log success or failure of the application(s) start. I did run the following: index=windows host=testserver sourcetype="WinEventLog:Application" EventCode=1000 Type=Warning "Faulting Application name: Test123" | runshellscript Test-Application-restart.bat Here was the output of the above search: External search command 'runshellscript' returned error code 1. Script output= "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, go 2." " ... View more

I have a Windows 2003 Server that is able to report memory stats when running the Windows performance monitor locally on the server. Unfortunately I do not see any data in Splunk for memory for this particular system. All of the other Windows 2003 Servers are displaying memory stats. ... View more