topic Re: index=os source=df in Splunk Search

index=os source=df

Splunk_U — Fri, 11 Jan 2013 17:43:27 GMT

When executing the search "index=os source=df" it is gvng me the data for /dev/ammper/system-root and /dev/sda...is there is a way that I can get the data only for /dev/mapper/system-root????

Re: index=os source=df

mattwesthoff — Sat, 12 Jan 2013 19:39:57 GMT

Just add "/dev/mapper/system-root" to your search!

index=os source=df "/dev/mapper/system-root"

(If you only want to match that path in a specific field obviously just put field=/dev/mapper/system-root)

Re: index=os source=df

Splunk_U — Sun, 13 Jan 2013 23:55:37 GMT

Yes...I have used Filesystem=/dev/mapper/system-root and it is working fine now

Re: index=os source=df

mikelanghorst — Mon, 14 Jan 2013 16:28:25 GMT

index=os source=df "/dev/mapper/system-root" | multikv | search Filesystem="/dev/mapper/system-root"

will return only that single line.

*minor edit to add "search" before Filesystem

Re: index=os source=df

Splunk_U — Mon, 14 Jan 2013 16:30:40 GMT

I dont understand why have you given multikv where you have not given anf feilds with that? For me index=os source=df Filesystem="/dev/mapper/system-root" has given me the result set that I wanted

Re: index=os source=df

mikelanghorst — Mon, 14 Jan 2013 16:35:18 GMT

multikv is just responsible for taking a table set of results, and splitting them into individual lines and field extracting.

Without the multikv, it will return the full df output. With it, just the single line.