Splunk Search

Disk usage Alerts

Voltaire
Communicator

I am trying to set up a search then alert on our *nix systems SAN-LUNs storage system. I modified a default *NIX disk usage search, however it only works with reporting on /dev/sda usage. I do not know how to specify the variables for a SAN storage LUN or BOOT partition.

I have enclosed a copy of my FSTAB file, and a df listing. (Sorry about the formatting?)

FSTAB /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0

root@ihswp1 adminmm0]# df -h -T Filesystem Type Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00 ext3 9.7G 8.6G 602M 94% / /dev/sda1 ext3 99M 24M 71M 26% /boot tmpfs tmpfs 1014M 0 1014M 0% /dev/shm

Any help would be appreciated. Thank you

V

Tags (1)

gkanapathy
Splunk Employee
Splunk Employee

You should look at the formatting tools in the input box toolbar. There is a button to format code so that it displays as typed in the box.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should look at the Splunk for Unix app, in particular the df.sh script for collecting information about your disks in a convenient format for Splunk to parse.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...