Splunk Search

How to edit my search to reflect stats related the current size of a disk volume (the volume changes as needed as space increases)?

tyronetv
Communicator

I have a report on disk volumes that runs nightly. Recently I have started collecting data for a volume that changes in size as the need for space increases. I would like my report to reflect the stats related to the current volume size and not have multiple entries based upon differing sizes for the same volume.

BASE_HOST  | VOLUME    | Size | Trend    | Smallest | Peak  | Current | Average |        Last Updated 
clt11evfs2 | /iarchive | 5.4T |  graph   |    96.00 | 98.00 |   98.00 |   97.19 | 12/14/2016 08:35:54 
clt11evfs2 | /iarchive | 5.6T |  graph   |    95.00 | 96.00 |   96.00 |   95.03 | 12/16/2016 09:26:06 

(where it says graph it's a sparkline)

As you can see, I get returns for both 5.4T and 5.6T when all I want is the 5.6T.

index=os sourcetype=df filesystem=* Type=nfs* filesystem=*evfs*| 
rex field=filesystem "(?[^\:]+)\:(?[^$]+)"|
rex field=SHARE "^(?\/[^\/]+)"| 
rex field=Size "^(?\d+)(?\w)" |
lookup dnsLookup ip as HOST|
eval HOST=lower(host)|
eval HOST=lower(HOST)| 
fillnull value="nope" HOST|
rex field=HOST "^(?[^.]+)" | 
rex field=BASE_HOST mode=sed "s/qa//" |  
stats sparkline(avg(PercentUsedSpace),15m) as Trend  min(PercentUsedSpace) as Smallest, max(PercentUsedSpace) as Peak, latest(PercentUsedSpace) as Current, avg(PercentUsedSpace) as Average, latest(_time) as "Last Updated" by BASE_HOST, VOLUME, Size | 
convert ctime("Last Updated") | 
sort -Current |
eval Average=round(Average, 2) | 
eval Peak=round(Peak, 2) | 
eval Current=round(Current, 2) |
eval Smallest=round(Smallest, 2)
0 Karma

gokadroid
Motivator

If all you need is last line and you want to do all the SPL stuff that you have already done so did you try tail

your query to return above events
| tail 1
0 Karma

rjthibod
Champion

Does using latest(Size) as Size in your stats command give you what you want?

stats sparkline(avg(PercentUsedSpace),15m) as Trend min(PercentUsedSpace) as Smallest, max(PercentUsedSpace) as Peak, latest(PercentUsedSpace) as Current, avg(PercentUsedSpace) as Average, latest(_time) as "Last Updated" latest(Size) as Size by BASE_HOST, VOLUME

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...