index=os source=df

Splunk_U · ‎01-11-2013

When executing the search "index=os source=df" it is gvng me the data for /dev/ammper/system-root and /dev/sda...is there is a way that I can get the data only for /dev/mapper/system-root????

mikelanghorst · ‎01-14-2013

index=os source=df "/dev/mapper/system-root" | multikv | search Filesystem="/dev/mapper/system-root"

will return only that single line.

*minor edit to add "search" before Filesystem

mikelanghorst · ‎01-14-2013

multikv is just responsible for taking a table set of results, and splitting them into individual lines and field extracting.

Without the multikv, it will return the full df output. With it, just the single line.

Splunk_U · ‎01-14-2013

I dont understand why have you given multikv where you have not given anf feilds with that? For me index=os source=df Filesystem="/dev/mapper/system-root" has given me the result set that I wanted

mattwesthoff · ‎01-12-2013

Just add "/dev/mapper/system-root" to your search!

index=os source=df "/dev/mapper/system-root"

(If you only want to match that path in a specific field obviously just put field=/dev/mapper/system-root)

Splunk_U · ‎01-13-2013

Yes...I have used Filesystem=/dev/mapper/system-root and it is working fine now

index=os source=df

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

index=os source=df

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+