Monitoring Splunk

Predict Judgement day for a disksystem

Path Finder

Hey guys, I have build a couple of dashboards around capacity management and I use the Splunk predict command to determine when disk space hit´s 0%, it works really well. see the attached image.
alt text

Now I need help to build a search which just returns the date as a single value where the red line/Judgement day is. Any creative ideas how to do that?

Here is a search i currently use:
index=perfmon host="my hostname" instance="H:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | timechart avg(Value) as UsedSpace | predict UsedSpace algorithm=LLP5 future_timespan=180

0 Karma


I couldn't find a clean and easy way to do this. In fact, I couldn't find a messy and hard way to do this.

But then I had a thought - those do happen from time to time - and might have a way to get this done.

A few weeks ago I saw an app released that integrates R into Splunk. R is a ... well, don't take it from me, follow the link I provided to the Splunk app and read up on it yourself.

R can do practically anything. Well, anything statistical. A quick search turned up pages like this page which show you a function that can be used to find where a time series crosses the X axis.

Are there others ways to do this using R? Probably. Do I have those magic answers? Nope. Not even close. Perhaps, though, if you ask real nicely, you may be able to get help from the tool's author (listed on the Docs page of the app) or at least some pointers.

For what its worth, some playing around may get you the answer you are looking for anyway. It might "just work" mostly like you'd expect. (I'm not holding my breath, but that would be brilliant if it did!)

So, while I'd be overjoyed if there was a clean easy way I just overlooked in Splunk to do this, I hope that at least this may give you a glimmer of hope. If you find an answer, could we ask you post it in here so that others who may want this same sort of functionality will be able to find it? Thanks!

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...