- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Disk Space Pie Charts from "df" Script in UNIX App
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd like to set up pie charts for disk space from data coming from the "df" scripts from the UNIX app. In looking through the charting docs, I can see how to chart "count" data, but I am unclear how to chart a single value, coming from the "df" script. I tried the "transpose" command, but only "UsedG" is coming up on the chart.
The search below was developed with help from the Splunk Answers KB. Notice that we convert the "Used" field to gigabytes. It goes to a field called "UsedG", but this seems to screw up the table. It adds "UsedG" to the table, even though it is not defined in the search.
I basically want to use "Used" and "Available", which should give a complete pie chart. If there was a way to chart "Size" and "Used", that would probably be more accurate.
Thanks for the help!
host="myhost" sourcetype="df"
| multikv fields Filesystem Type Size Used Avail UsePct MountedOn
| search /home | table MountedOn Size Used Avail
| eval UsedG = case(match(Used,"[M]"),round(tonumber(rtrim(Used,"M"))/1024,3),
match(Used,"[T]"),round(tonumber(rtrim(Used,"T"))*1024,3),
match(Used,"[G]"),round(tonumber(rtrim(Used,"G")),3))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(Updated with convert command instead of eval, and explanation - also updated to address "every 5 minute" problem)
My first question is - so why do you calculate UsedG if you never want to use it?
This will get your pie chart
host="myhost" sourcetype="df" earliest=-10m
| multikv fields Used Avail MountedOn
| search /home
| dedup MountedOn
| eval s = "Used,Available"
| makemv delim="," allowempty=t s
| mvexpand s
| eval Size = if(s=="Used",Used,Avail)
| convert memk(Size) as Size
| chart sum(Size) as "Size in Gb" by s
Try this for a column chart:
host="myhost" sourcetype="df"
| multikv fields Filesystem Type Size Used Avail UsePct MountedOn
| dedup MountedOn
| eval s = "Used,TotalSize"
| makemv delim="," allowempty=t s
| mvexpand s
| eval Size = if(s=="Used",Used,Size)
| convert memk(Size) as Size
| chart sum(Size) as "Size in Gb" by MountedOn, s
Explanation by line -
host="myhost" sourcetype="df"
| multikv fields Filesystem Type Size Used Avail UsePct MountedOn
The initial search and field extraction
| eval s = "Used,TotalSize"
| makemv delim="," allowempty=t s
| mvexpand s
Create a new variable s that contains 2 values. Tell Splunk to consider this a multi-valued field. Expand this event into two events, one for each value of s. Except for that, the events are the same. This turns s back into a single-valued field, but creates multiple events.
| eval Size = if(s=="Used",Used,Size)
Set the variable Size to the amount of disk used, when the field s refers to "used". Otherwise, the field is the total size, so use the original Size field
| convert memk(Size) as Size
Convert the Size into a true numeric field, representing KB
| chart sum(Size) as "Size in Gb" by MountedOn, s
Chart the size field, breaking it down by mount point, and within that by Used and TotalSize. If you chart this using a column chart, you can see the two bars side-by-side.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
