Update savedsearches.conf

gjanders · May 2, 2024 · 5c63fdd · 5c63fdd
1 parent 4300f09
commit 5c63fdd
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -2585,7 +2585,7 @@ search = `comment("Detect search head issues related to extended search head dow
 `comment("The search head cluster captain is disconnected can relate to a SH cluster restart *or* if outside a rolling restart this may require a restart of the problematic search head...")`\
 `comment("In addition to this you could also look for \"Error pushing configurations to captain\" consecutiveErrors>1 , this would also hint at a potential issue although a small number of consecutive errors appears to be normal...")`\
 `comment("If you see the message \"Consider performing a destructive configuration resync on this search head cluster member\", then it's a real issue and often requires manual intervention...")` \
-index=_internal `searchheadhosts` "Local KV Store has replication issues" OR ("ConfReplicationThread" "captain") OR ("SHCMasterHTTPProxy" "Low Level http request" NOT "did not satisfy regex" NOT "does not exist" NOT "peer already has artifact" NOT "has inflight replications" NOT ("failed on report target request" "not found")) sourcetype=splunkd (`splunkadmins_splunkd_source`) \
+index=_internal `searchheadhosts` "Local KV Store has replication issues" OR ("ConfReplicationThread" "captain") OR ("SHCMasterHTTPProxy" "Low Level http request" NOT "did not satisfy regex" NOT "does not exist" NOT "peer already has artifact" NOT "has inflight replications" NOT ("failed on report target request" "not found")) OR (component=SHCArtifactId "does not match") sourcetype=splunkd (`splunkadmins_splunkd_source`) \
 | regex "\S+\s+\S+\s+\S+\s+(ERROR|WARN)" \
 | eval search_head=host \
 | eval search_head_cluster=`search_head_cluster` \
@@ -2595,6 +2595,7 @@ index=_internal `searchheadhosts` "Local KV Store has replication issues" OR ("C
 | stats min(_time) AS firstSeen, max(_time) AS mostRecent, values(_raw) AS _raw, max(cluster_count) AS cluster_count, max(consecutiveErrors) AS consecutiveErrors by host, cluster_label, search_head_cluster \
 | eval firstSeen=strftime(firstSeen, "%+"), mostRecent=strftime(mostRecent, "%+") \
 | where (match(_raw, "Error pushing configurations") AND consecutiveErrors>4) OR (match(_raw, "Error pulling configurations") AND consecutiveErrors>2) OR NOT match(_raw, "Error (pushing|pulling) configurations") \
+| eval _raw=mvindex(_raw,0,40)
 | fields - cluster_label, consecutiveErrors
 disabled = 1