Solved: How to create an alert for disk usage?

uchoavaz · ‎09-17-2022

Hello!

i am sending from a host to splunk cloud logs from the disk usage. Here is an example how the events are:

/dev/nvme4n1p1	xfs	50G	555M	50G	2%	25M	33K	25M	1%	/var/www

where "2%" field is called as "Use_". How can i create an alert/search when this number (without the percentage symbol) is higher than 80 ?

Thanks!

gcusello · ‎09-17-2022

you have to extract the remaining disk space using a regex and then cheate a condition:

index?your_index
| rex "^(?<device>[^ ]+)\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<disk>\d+)"
| where disk>80

Ciao.

Giuseppe

uchoavaz · ‎09-18-2022

Worked! Thanks.

gcusello · ‎09-17-2022

you have to extract the remaining disk space using a regex and then cheate a condition:

index?your_index
| rex "^(?<device>[^ ]+)\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<disk>\d+)"
| where disk>80

Ciao.

Giuseppe

uchoavaz · ‎09-20-2022

@gcusello i have an issue here with this regex... it is not filtering this type of event:

/dev/mapper/group1-mountpoint_www	xfs	9.0G	674M	8.4G	8%	4.5M	33K	4.5M	1%	/var/www

basically what changes is the filesystem name (uses "-" and "_") and the size of the numbers and the sizy (M, G, K).

PS: I know that in your example the disk needs to be higher than 80, but i changed the value to 2.

gcusello · ‎09-20-2022

please try this:

index?your_index
| rex "^(?<device>[^ ]+)(\s+[^ ]+){4}\s+(?<disk>\d+)"
| where disk>80

Ciao.

Giuseppe

uchoavaz · ‎09-20-2022

I know that the issue is at the dot (".") that can exist or not in the column 3,4 or 5. But how can i put that in the regex?

How to create an alert for disk usage?