This should get you started on disk fillings. Set it up as a scheduled search that sends an email if there are results. Change the '85' to your own threshold value.
I don't have anything for memory spikes.
index="os" sourcetype="df" | multikv fields FileSystem, UsePct | strcat host '@' Filesystem Drive| replace "*%" with "*" in UsePct | dedup Drive | table Drive IPAddress UsePct | where UsePct > 85
This should get you started on disk fillings. Set it up as a scheduled search that sends an email if there are results. Change the '85' to your own threshold value.
I don't have anything for memory spikes.
index="os" sourcetype="df" | multikv fields FileSystem, UsePct | strcat host '@' Filesystem Drive| replace "*%" with "*" in UsePct | dedup Drive | table Drive IPAddress UsePct | where UsePct > 85