topic Re: Create alert for disk usage in Alerting

How to create an alert for disk usage?

uchoavaz — Sun, 18 Sep 2022 23:41:49 GMT

Hello!

i am sending from a host to splunk cloud logs from the disk usage. Here is an example how the events are:

/dev/nvme4n1p1 xfs 50G 555M 50G 2% 25M 33K 25M 1% /var/www

where "2%" field is called as "Use_". How can i create an alert/search when this number (without the percentage symbol) is higher than 80 ?

Thanks!

gcusello — Sat, 17 Sep 2022 14:17:38 GMT

you have to extract the remaining disk space using a regex and then cheate a condition:

index?your_index | rex "^(?<device>[^ ]+)\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<disk>\d+)" | where disk>80

Ciao.

Giuseppe

uchoavaz — Sun, 18 Sep 2022 14:19:33 GMT

Worked! Thanks.

uchoavaz — Tue, 20 Sep 2022 21:07:37 GMT

@gcusello i have an issue here with this regex... it is not filtering this type of event:

/dev/mapper/group1-mountpoint_www xfs 9.0G 674M 8.4G 8% 4.5M 33K 4.5M 1% /var/www

basically what changes is the filesystem name (uses "-" and "_") and the size of the numbers and the sizy (M, G, K).

PS: I know that in your example the disk needs to be higher than 80, but i changed the value to 2.

uchoavaz — Tue, 20 Sep 2022 21:26:35 GMT

I know that the issue is at the dot (".") that can exist or not in the column 3,4 or 5. But how can i put that in the regex?

gcusello — Wed, 21 Sep 2022 06:41:55 GMT

please try this:

index?your_index | rex "^(?<device>[^ ]+)(\s+[^ ]+){4}\s+(?<disk>\d+)" | where disk>80

Ciao.

Giuseppe