Solved: Re: Search query to send alert when a filesystem p...

Isaias_Garcia · ‎01-29-2015

Hi-

I have the logs below in SPlunk. I wanted to create an alert when the UsePct is gretaer than 90%. Please help for the serach query that I will use to this. Thank you

Filesystem MountedOn Size UsePct
/dev/mapper/vg00-root / 9.9G 23%
/dev/sda1 /boot 92M 75%
/dev/mapper/vg00-var /var 4.8G 89%
/dev/mapper/vg00-tmp /tmp 2.0G 92%

richgalloway · ‎01-29-2015

Add this to your existing search then set it up as a scheduled search that sends an email (or other alert) if there are results.

... | replace "*%" with "*" in UsePct | table Filesystem UsePct | where UsePct > 90

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-29-2015

Add this to your existing search then set it up as a scheduled search that sends an email (or other alert) if there are results.

... | replace "*%" with "*" in UsePct | table Filesystem UsePct | where UsePct > 90

---
If this reply helps you, Karma would be appreciated.

Isaias_Garcia · ‎01-29-2015

wow just wow!! it works!! thank you so much!

Search query to send alert when a filesystem percentage usage is greater than 90%

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases