Dashboards & Visualizations

Remove unwanted subfolders in dashboard


Hi Splunkers,

We are getting unwanted sub folders when we search for a particular sub folder

I am creating a query which displays the file system for a particular folder. But I am getting all the folder names instead of a particular folder name alone.

Consider, in server xyz, we are having n number of file system (example, /, /var, /var/abc, /var/abc/cde, etc. ). When I am searching for /var alone by giving that in query, it displays /var and all the sub folders in it. But that is not as expected.

index=" " sourcetype= " " mn=/ OR /var | eval Usage=replace(Used,"%","") | timechart values(usage) as Used by mn

note: mn means the file system name

Expected output:
Chart should show only / and /var file systems.

Output we are getting now:
Chart should show only / and /var and /var/abc and /var/abc/cde

Labels (1)
0 Karma


@thaara if you are using the following query I dont see how other subfolder will show up as you have not used * in the mn filter

 index=" " sourcetype= " " mn IN ("/","/var") 
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!