- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search all mount points on all hosts to bui...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to run a search against all hosts, but I am having difficulty figuring out the right approach. A simplified version of what I am looking for is:
index=os sourcetype=df host=system323 mount=/var | streamstats range(storage_used) as storage_growth window=2
But ultimately I want it to search all mount points on all hosts and then send that to a chart or a report.
I tried a few different approaches, but none of them gave me the expected results. I felt like I was on the right path with subsearches because it felt like the equivalent of a for loop, but it did not yield the expected results
index=os sourcetype=df [search index=os sourcetype=df [search index=os sourcetype=df earliest=-1d@d latest=now() | stats values(host) AS host] earliest=-1d@d latest=now() | stats values(mount) AS mount] | streamstats range(storage_used) as storage_growth window=2
How can I take my first search and build a report that will include all hosts and mount points?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you're interested in the changes over time so off the top of my head maybe something like:
index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you're interested in the changes over time so off the top of my head maybe something like:
index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion. by host,mount has opened up a new world for me. But it seems like you have manually recreated what range() is supposed to do. Does range not work for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll admit upfront that I haven't used range() before, however from the doc, it seems that range is always positive, instead of varying sign depending on if you have added or removed storage.
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest
