We use the "df" script to grab disk space data from one of our Linux servers. We use the following search to pull out the "Used" number for the XFS volume:
source="df" host="hostname" | multikv fields Filesystem Size Used Avail Use% Mounted | search xfs | table _time Used | eval Used=rtrim(Used, "[K,G,M,T]")
The number was in the MBs, so we were able to chart it successfully, and it was in the 100s (for example, 978, 988, 994). However, now that we have reached over 1 Terabyte, the number we pull is single digits (1.0, 1.1, 1.2), and the chart is screwed up since it dive bombs from 999 to 1.0.
Is there a way to convert the number (by multiplying by 1000), but only when the field contains a "T" (for terabyte), and not a "G", or "M", etc?
Pipe your search to an eval and if.
... | eval TestVal=if(match(Value,"TB"),Value*1000,Value)
OK, on looking at this more carefully, it sounds like you need to both figure out what the letter is at the end of the Used field, and to strip it out so you can do math on it. I don't have df data to test on, but I suspect your search should look something like "source="df" host="hostname" | multikv fields Filesystem Size Used Avail Use% Mounted | search xfs | eval Multiplier=if(match(Used,"T"),1000,1) | eval Used=rtrim(Used, "[K,G,M,T]") | eval Used=Used*Multiplier | table _time Used "
Thank you again for replying. The search you provided runs, but it doesn't change the "T" values still.
Would I able to just edit the df.sh script from the UNIX app so that the "df" results are not in human format? Then, I can just manipulate the results in the search?
That might work, but it would make your current data different from your historical data, and people might get unexpected results if they search across both sets. If you don't care about that, or if you're going to delete the old data, it's probably fine.
If you don't mind, would you post a line from your "table _time Used" so I can see what the format looks like? Or print "table _time Used Multiplier" to see if the multiplier is always 1? The eval method should work, but without seeing the exact data it's hard to get the correct syntax.
Honestly, I would consider this a flaw in the Splunk
df.sh script. In fact, the native
df shell command is perfectly capable of returning straight numbers (with the
-k option), and in fact the Splunk
df.sh script goes through some trouble to make it return numeric values in human-convenient (and machine-inconvenient) formats on other platforms. I would probably ask for an ER, but it would be a bit problematic to implement since there will be legacy problems.
Here's what I did:
eval UsedG = case(match(Used,"[M]"),round(tonumber(rtrim(Used,"M"))/1024,3),match(Used,"[T]"),round(tonumber(rtrim(Used,"T"))*1024,3),match(Used,"[G]"),round(tonumber(rtrim(Used,"G")),3))