Greetings Splunkers,
I have a basic Real Time Alert (RTA) running that looks at all hosts for this message:
Message="The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
The RTA works as expected, however we reboot various servers every weekend for patches, which ends up triggering this alert. Is there anything I can do in the search parameters to ignore times from 12A-2A on weekends only? If not, is there another event code I can look at that truly is an unexpected shutdown alert?
Also on a side-note, is there a way to change my username? I didn't see the ability to in preferences.
... View more