Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search all mount points on all hosts to build a report on storage?

fd26645
Path Finder
‎02-18-2015 03:39 AM

I am trying to run a search against all hosts, but I am having difficulty figuring out the right approach. A simplified version of what I am looking for is:

index=os sourcetype=df host=system323 mount=/var | streamstats range(storage_used) as storage_growth window=2

But ultimately I want it to search all mount points on all hosts and then send that to a chart or a report.

I tried a few different approaches, but none of them gave me the expected results. I felt like I was on the right path with subsearches because it felt like the equivalent of a for loop, but it did not yield the expected results

index=os sourcetype=df [search index=os sourcetype=df [search index=os sourcetype=df earliest=-1d@d latest=now() | stats values(host) AS host] earliest=-1d@d latest=now() | stats values(mount) AS mount] | streamstats range(storage_used) as storage_growth window=2

How can I take my first search and build a report that will include all hosts and mount points?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎02-18-2015 05:14 AM

It looks like you're interested in the changes over time so off the top of my head maybe something like:

index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎02-18-2015 05:14 AM

It looks like you're interested in the changes over time so off the top of my head maybe something like:

index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount
Reply
Solved! Jump to solution

fd26645
Path Finder
‎02-18-2015 05:36 AM

Thanks for the suggestion. by host,mount has opened up a new world for me. But it seems like you have manually recreated what range() is supposed to do. Does range not work for this?

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎02-18-2015 11:21 AM

I'll admit upfront that I haven't used range() before, however from the doc, it seems that range is always positive, instead of varying sign depending on if you have added or removed storage.

Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top