Solved: Splunk Add-on for Unix and Linux: How to extract a...

sekharsidh · ‎02-25-2016

I have configured TA nix for our Linux systems and I need to generate an alert when CPU % goes past, lets say, 70%. I think I need to write the rex for this. This is what I am writing:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d\d%)" | where UsePct>"30%" | stats count by host,source,UsePct

But it gives me values which are 6% as well. I have very limited knowledge on rex. I need some search which will look for values from 0 % to 100% and alert me if it goes past 70%. Any suggestions will be really helpful and appreciated.

sekharsidh · ‎02-25-2016

I think I got the answer by doing some R&D. Here is the query which seem to work for me:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d+)%" | where UsePct>30 | stats count by host,source,UsePct

Result:

host        source  UsePct  count
XXXXXXXX    df      46      12

View solution in original post

sekharsidh · ‎02-25-2016

I think I got the answer by doing some R&D. Here is the query which seem to work for me:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d+)%" | where UsePct>30 | stats count by host,source,UsePct

Result:

host        source  UsePct  count
XXXXXXXX    df      46      12

Splunk Add-on for Unix and Linux: How to extract a field with rex to alert when CPU usage is greater than 70%?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7