index=os source=df

Splunk_U · ‎01-11-2013

When executing the search "index=os source=df" it is gvng me the data for /dev/ammper/system-root and /dev/sda...is there is a way that I can get the data only for /dev/mapper/system-root????

mikelanghorst · ‎01-14-2013

index=os source=df "/dev/mapper/system-root" | multikv | search Filesystem="/dev/mapper/system-root"

will return only that single line.

*minor edit to add "search" before Filesystem

mikelanghorst · ‎01-14-2013

multikv is just responsible for taking a table set of results, and splitting them into individual lines and field extracting.

Without the multikv, it will return the full df output. With it, just the single line.

Splunk_U · ‎01-14-2013

I dont understand why have you given multikv where you have not given anf feilds with that? For me index=os source=df Filesystem="/dev/mapper/system-root" has given me the result set that I wanted

mattwesthoff · ‎01-12-2013

Just add "/dev/mapper/system-root" to your search!

index=os source=df "/dev/mapper/system-root"

(If you only want to match that path in a specific field obviously just put field=/dev/mapper/system-root)

Splunk_U · ‎01-13-2013

Yes...I have used Filesystem=/dev/mapper/system-root and it is working fine now

index=os source=df

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25

Are you a member of the Splunk Community?

index=os source=df

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25