Re: forwarder disk space issue

Susha · ‎10-21-2021

Hi All,

i am using below query to get forwarder disk utilization .. but its not working ..

index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem

basically our forwarder disk space is getting filled because of some specific intelligence logs..

here we want to highlight respective team that because of their logs its getting sudden surge logs..

somesoni2 · ‎10-21-2021

What issues are you seeing with result?

nmohammed · ‎10-21-2021

@Susha

Is your forwarder sending disk space data and are you able to see any data in index=os ? breakdown the search query into individual parts and check

index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com

index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com
| strcat host '@' Filesystem Host_FileSystem

forwarder disk space issue

heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation