Splunk Search

report on disk usage spikes?

mitag
Contributor

Need a report that:

  1. Lists volumes with significant disk usage spikes over a given timeframe.
  2. Plots those disk usage spikes over time.

P.S. Not interested in volumes with high percentage of used disk space - only in those that had a spike of say more than 20%.

I am assuming I'd need to:

  1. List volumes that had such a spike by calculating max and average values for e.g. UsePct for a volume and then leaving only those with the delta > 20;
  2. Run a timechart or something similar on those volumes.

Blanking out on how to do that and would appreciate your help - thanks!

P.P.S. This is as far as I've gotten - and it seems to correctly ID volumes with usage spikes (updated May 5):

sourcetype=WinHostMon source=disk FileSystem!="SNFS"
| stats min(storage_used_percent) as min,
        avg(storage_used_percent) as avg,
        max(storage_used_percent) as max,
        by host, Name FileSystem DriveType
| eval delta = max - avg
| where delta>20
| sort - max delta avg

The above produces the full stats table for all hosts and their volumes that had a spike; adding | fields host Name to it would produce just the hosts and volume names; the question remains: what is the best way to plot storage_used_percent on those volumes over the timeframe of the search?

P.P.P.S. Bonus points for streamlining the above search and making it faster; generally a streamlined mechanism for pinpointing anomalies (spikes, unusual deviations or volatility) on any available metrics - such as CPU, memory, disk and network utilization. (I have yet to properly configure Splunk infrastructure apps - perhaps such mechanisms are included in those.)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...