Hi,
I have the below search query to monitor the process/instances running on our servers and the sub-search within the search is getting auto-finalized and the false alerts are triggered.
Below is the search I am having issues with:
| inputlookup process.csv
| eval count=0
| join type=left PROCESS_NAME, SERVER_NAM overwrite=true
[| search index="nix" sourcetype="ps" USER="web" host IN(server1, server1) ARGS="*process.conf"
| dedup host PID
| rex field=ARGS "\/conf\/(?\w+.*)"
| search PROCESS_NAME="*""
| rename host as SERVER_NAM
| stats count by SERVER_NAM,PROCESS_NAME]
| search count=0 NOT Maintenance="*""
| sort SERVER_NAM
| streamstats count as row
| table row,SERVER_NAM,PROCESS_NAME,DESC,Comment
As a workaround, I have created a new search for alerting purpose to avoid false alerts but that doesn't seem to work either.
New search:
| inputlookup process.csv
| eval count=0
| appendcols override=true maxtime=100 timeout=100
[| search index="nix" sourcetype="ps" USER="web" host IN(server1, server1) ARGS="*process.conf"
| dedup host PID
| rex field=ARGS "\/conf\/(?\w+.*)"
| rename host as SERVER_NAM
| stats count by SERVER_NAM,PROCESS_NAME
| sort SERVER_NAM]
| where count="0" AND isnull(Maintenance)
| fields SERVER_NAM, PROCESS_NAME, DESC, Comment
Can you please help me with this search? I've searched for related questions on Splunk Answers but nothing seemed to work.
↧