Need a report that:
P.S. Not interested in volumes with high percentage of used disk space - only in those that had a spike of say more than 20%.
I am assuming I'd need to:
UsePct
for a volume and then leaving only those with the delta > 20;timechart
or something similar on those volumes.Blanking out on how to do that and would appreciate your help - thanks!
P.P.S. This is as far as I've gotten - and it seems to correctly ID volumes with usage spikes (updated May 5):
sourcetype=WinHostMon source=disk FileSystem!="SNFS"
| stats min(storage_used_percent) as min,
avg(storage_used_percent) as avg,
max(storage_used_percent) as max,
by host, Name FileSystem DriveType
| eval delta = max - avg
| where delta>20
| sort - max delta avg
The above produces the full stats table for all hosts and their volumes that had a spike; adding | fields host Name
to it would produce just the hosts and volume names; the question remains: what is the best way to plot storage_used_percent
on those volumes over the timeframe of the search?
P.P.P.S. Bonus points for streamlining the above search and making it faster; generally a streamlined mechanism for pinpointing anomalies (spikes, unusual deviations or volatility) on any available metrics - such as CPU, memory, disk and network utilization. (I have yet to properly configure Splunk infrastructure apps - perhaps such mechanisms are included in those.)