We are using perfmon and I have built some dashboards to show memory/cpu usage and alerts that trigger if each is going above a certain %, is there a way you can obtain the total memory assigned to a server?  What I want to do is to be able to create a table from the total assigned memory and place it in the above dashboards so our testers know how much memory a server has without me manually creating a table with each stat in. ... View more

Hello,  I'm trying to create a RAG dashboard that will show different colours should an issue occur with a service e.g. if a service stops working the stat would show as one and the colour would turn red, I can do this but what I am struggling with is combining multiple index searches into one overall stat e.g. index "windows_perfmon" disk runs out of space, stat increases to 1, a winhostmon index service stops and that stat increases to one, I'm struggling to combine these into one overall stat which would be 2 in this example.  The current search I am using is:  (index=winhostmon host="Splunktest" "Type=Service" sourcetype=WinHostMon DisplayName="Print Spooler" OR DisplayName="Snow Inventory Agent" StartMode="Auto" State="Stopped") OR (index="windows_perfmon" host="Splunktest" object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes") | eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null()) | eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null()) | eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null()) | eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null()) | stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time | makemv diskInfoA1 delim="," | makemv diskInfoB1 delim="," | eval freePerc = mvindex(diskInfoA1,1) | eval freeMB = mvindex(diskInfoB1,1) | eval usage=round(100-freePerc,2) | eval GB = round(freeMB/1024,2) | eval totalDiskGB = GB/(freePerc/100) | stats max(usage) AS "Disk Usage", max(GB) AS "Disk Free", max(totalDiskGB) AS "Total Disk Size (GB)" by host instance | where not instance="_Total" | where NOT LIKE(instance,"%Hard%") | search "Disk Usage" >90 | stats count The result I get is just count=1  Note in the above example I have stopped the print spooler on the server so the event count should be 2 as there is a disk that is also running above 90% I have also tried the append version but again I cannot get it to combine the results. index=winhostmon host="Splunktest" "Type=Service" sourcetype=WinHostMon DisplayName="Print Spooler" OR DisplayName="Snow Inventory Agent" StartMode="Auto" State="Stopped" | stats count|rename count as Service |append [ search index="windows_perfmon" host="Splunktest" object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes" | eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null()) | eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null()) | eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null()) | eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null()) | stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time | makemv diskInfoA1 delim="," | makemv diskInfoB1 delim="," | eval freePerc = mvindex(diskInfoA1,1) | eval freeMB = mvindex(diskInfoB1,1) | eval usage=round(100-freePerc,2) | eval GB = round(freeMB/1024,2) | eval totalDiskGB = GB/(freePerc/100) | stats max(usage) AS "Disk Usage", max(GB) AS "Disk Free", max(totalDiskGB) AS "Total Disk Size (GB)" by host instance | where not instance="_Total" | where NOT LIKE(instance,"%Hard%") | search "Disk Usage" >90 | stats count|rename count as Disk ] The end goal of this is to just show one stat on a dashboard and when you click on that number it opens another dashboard that shows you the detail.    Any help would be appreciated.  ... View more

Hello,  I am trying to get the above addon working in our environment. Our environment comprises of 2 heavy forwarders and a deployment server, the heavy forwarders filter all data to Splunk Cloud.  When setting the above addon up I have confirmed that both Heavy forwarders can connect to our on-premise Jira server and both heavy forwarders pull down data from Jira e.g. projects etc.  We have the setup in passthrough mode with passthrough being enabled within Splunk cloud, I'm aware that Splunk cloud will connect to the heavy forwarders and pull information from the KVstore but this does not appear to be happening. The addon within Splunk cloud still try's to connect to Jira when an account is populated in the configuration. When removing the configuration it complains about needing an account. A bearer token has been created within Splunk cloud and both heavy forwarders have been populated with the bearer token.  Has anyone successfully set this up and if so do you have any pointers?    ... View more