Monitoring Splunk

Predict Judgement day for a disksystem

Norling80
Path Finder

Hey guys, I have build a couple of dashboards around capacity management and I use the Splunk predict command to determine when disk space hit´s 0%, it works really well. see the attached image.
alt text

Now I need help to build a search which just returns the date as a single value where the red line/Judgement day is. Any creative ideas how to do that?

Here is a search i currently use:
index=perfmon host="my hostname" instance="H:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | timechart avg(Value) as UsedSpace | predict UsedSpace algorithm=LLP5 future_timespan=180

0 Karma

Richfez
SplunkTrust
SplunkTrust

I couldn't find a clean and easy way to do this. In fact, I couldn't find a messy and hard way to do this.

But then I had a thought - those do happen from time to time - and might have a way to get this done.

A few weeks ago I saw an app released that integrates R into Splunk. R is a ... well, don't take it from me, follow the link I provided to the Splunk app and read up on it yourself.

R can do practically anything. Well, anything statistical. A quick search turned up pages like this page which show you a function that can be used to find where a time series crosses the X axis.

Are there others ways to do this using R? Probably. Do I have those magic answers? Nope. Not even close. Perhaps, though, if you ask real nicely, you may be able to get help from the tool's author (listed on the Docs page of the app) or at least some pointers.

For what its worth, some playing around may get you the answer you are looking for anyway. It might "just work" mostly like you'd expect. (I'm not holding my breath, but that would be brilliant if it did!)

So, while I'd be overjoyed if there was a clean easy way I just overlooked in Splunk to do this, I hope that at least this may give you a glimmer of hope. If you find an answer, could we ask you post it in here so that others who may want this same sort of functionality will be able to find it? Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...