Please help on that   ... View more

Easiest is to just have two alerts.  There's practically *zero* downsides to just building a new search (you can start with your existing one!) and then creating an alert out of it once it appears like you've got the search all sorted out. That being said, I think you might just need to change source = "/tmp/unresponsive" sourcetype=cmi:gems_unresponsive to be able to do both at once.  I'm not sure what you need to change that to though. MAYBE - if /tmp/unresponsive is the source for either server, maybe all it needs is source = "/tmp/unresponsive" ( sourcetype=cmi:gems_unresponsive OR sourcetype=<whatever the sourcetype is for the other servers> ) And honestly, I'd go back to that core piece of the search (index=foo, source=bar, sourcetype=baz) and *find the events* first.  It should make it more obvious how to get their data in there too. ... View more

As per your suggestions we have changed the SQL quiry. After changes results showing it's still "Winows_Support - Operations" group.  Can you please help me here. ... View more

Hi   you can enable debug mode for splunkd.log file before taking diag.  Enable debug logging on all of splunkd.log Splunk software has a debugging parameter (--debug) that you can use when you start Splunk software from the CLI in *nix. This command outputs logs to the $SPLUNK_HOME/var/log/splunk/splunkd.log file. This option is not available on Windows. To enable debugging on Splunk software running on Windows, enable debugging on a specific processor. See Enable debug logging in Splunk Web or Enable debug logging using log.cfg. Navigate to $SPLUNK_HOME/bin. Stop the Splunk platform instance, if it is running. Save your existing splunkd.log file by renaming it, like splunkd.log.old. Restart the instance in debug mode with splunk start --debug. When you notice the problem, stop the instance. Move the new splunkd.log file elsewhere and restore the old file. Stop or restart the instance normally (without the --debug flag) to disable debug logging. Not all messages marked WARN or ERROR indicate actual problems with Splunk software; some indicate that a feature is not being used. for splunk diag run following command  *nix example Windows example ./splunk diag splunk diag             @raghunandan1 ... View more

Index names don't matter here. It's about the data in indexes. Anyway, perfmon data does not include OS version as far as I remember so you need to make sure you have this ingested another way. What data you have in your linux index is beyond me - you should have it docummented somewhere. I suppose you have TA_nix deployed across your environment and some inputs enabled but we don't know which ones and what data you're ingesting. So the question is what data you _have_. If you know this, you'll probably know what to search for yourself. ... View more

@raghunandan1 - Please search in the index=_internal to see if you have errors related to file monitoring from those hosts.   I hope this helps!!! ... View more

Hi @raghunandan1  have you tried using deafult admin password changeme  if default password doesnt work, you might need to reset the password  1. please rename the cuurent passwd to passwd_old , under location $SPLUNK_HOME/etc/passwd 2. go to $SPLUNK_HOME$/system/local create a new file user-seed.conf 3. update follwing details [user_info] USERNAME = admin PASSWORD = changeme  4.restart the splunk. $SPLUNK_HOME/bin/splunk restart after above steps you can able to run reload server class and able to authenticate   ... View more

This is remarkably similar to this question https://community.splunk.com/t5/Alerting/Generate-a-alert-when-the-status-field-change-from-500-to-200/td-p/548811  ... View more