Solved: Re: Trouble with df script and charting

aferone · ‎05-17-2012

We use the "df" script to grab disk space data from one of our Linux servers. We use the following search to pull out the "Used" number for the XFS volume:

source="df" host="hostname" | multikv fields Filesystem Size Used Avail Use% Mounted | search xfs | table _time Used | eval Used=rtrim(Used, "[K,G,M,T]")

The number was in the MBs, so we were able to chart it successfully, and it was in the 100s (for example, 978, 988, 994). However, now that we have reached over 1 Terabyte, the number we pull is single digits (1.0, 1.1, 1.2), and the chart is screwed up since it dive bombs from 999 to 1.0.

Is there a way to convert the number (by multiplying by 1000), but only when the field contains a "T" (for terabyte), and not a "G", or "M", etc?

Thanks!

auntyem · ‎05-18-2012

Here's what I did:
eval UsedG = case(match(Used,"[M]"),round(tonumber(rtrim(Used,"M"))/1024,3),match(Used,"[T]"),round(tonumber(rtrim(Used,"T"))*1024,3),match(Used,"[G]"),round(tonumber(rtrim(Used,"G")),3))

View solution in original post

auntyem · ‎05-18-2012

Here's what I did:
eval UsedG = case(match(Used,"[M]"),round(tonumber(rtrim(Used,"M"))/1024,3),match(Used,"[T]"),round(tonumber(rtrim(Used,"T"))*1024,3),match(Used,"[G]"),round(tonumber(rtrim(Used,"G")),3))

aferone · ‎05-18-2012

This worked! Thank you very much!!

gkanapathy · ‎05-17-2012

Honestly, I would consider this a flaw in the Splunk df.sh script. In fact, the native df shell command is perfectly capable of returning straight numbers (with the -k option), and in fact the Splunk df.sh script goes through some trouble to make it return numeric values in human-convenient (and machine-inconvenient) formats on other platforms. I would probably ask for an ER, but it would be a bit problematic to implement since there will be legacy problems.

cphair · ‎05-17-2012

Pipe your search to an eval and if.



... | eval TestVal=if(match(Value,"TB"),Value*1000,Value)

You will have fewer significant digits for the TB entries, but the scale will be corrected.

aferone · ‎05-18-2012

Thank you very much for your help. The answer below worked. I appreciate your time!

cphair · ‎05-18-2012

That might work, but it would make your current data different from your historical data, and people might get unexpected results if they search across both sets. If you don't care about that, or if you're going to delete the old data, it's probably fine.

If you don't mind, would you post a line from your "table _time Used" so I can see what the format looks like? Or print "table _time Used Multiplier" to see if the multiplier is always 1? The eval method should work, but without seeing the exact data it's hard to get the correct syntax.

aferone · ‎05-18-2012

Thank you again for replying. The search you provided runs, but it doesn't change the "T" values still.

Would I able to just edit the df.sh script from the UNIX app so that the "df" results are not in human format? Then, I can just manipulate the results in the search?

Thanks again!

cphair · ‎05-17-2012

OK, on looking at this more carefully, it sounds like you need to both figure out what the letter is at the end of the Used field, and to strip it out so you can do math on it. I don't have df data to test on, but I suspect your search should look something like "source="df" host="hostname" | multikv fields Filesystem Size Used Avail Use% Mounted | search xfs | eval Multiplier=if(match(Used,"T"),1000,1) | eval Used=rtrim(Used, "[K,G,M,T]") | eval Used=Used*Multiplier | table _time Used "

aferone · ‎05-17-2012

Would I append that at the end of my search as written?

Trouble with df script and charting

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...