So you want just read and write and don't care about hosts? (ie just the two fields?). If so then just leave the host off. The "by" command just separates it into series. Sorry im just not quite understanding the required output so im guessing 😞 ... View more

Do you already have the data you want to use in an index? Like filesystem: space used + total space? Or if your input is something like df 's output, even percentage used or available space? With something like used space + available space, you should be able to achieve something along the lines of what you want by building a stacked column chart of these. <yourbasesearch> | chart first(space_used),first(space_available) by filesystem As space_used + space_available will be equivalent to the total space, the total height of each column will show the total space. ... View more

I believe you could create a new class for each grouping of clients, and then create a new add-on under deployment-apps for each. The add-ons would simply include the inputs.conf for that group: - deployment_apps - unix - unix_input_group1 - default - inputs.conf - unix_input_group2 - default - inputs.conf You would leave all inputs disabled in the main unix app, and instead have them setup in the add-ons for the class. A couple of caveats though; the standard unix app inputs.conf has script stanzas like this: [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat index = os disabled = 1 I imagine you'd have to modify the stanza to the full path (i.e. [script://$SPLUNK_HOME/etc/apps/unix/bin/iostat.sh]) because the referenced scripts aren't in your new app's bin directory. Also, I don't imagine that stanzas in your custom add-ons would properly override those in the unix app. In other words, if you have a unix/default/inputs.conf with this stanza: [monitor:///var/log] _whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out) _blacklist=(lastlog) index=os disabled = 1 best practice to enable it would be to create a unix/local/inputs.conf like this: [monitor:///var/log] disabled = 0 However, I don't believe you could enable an input in that way if you're working off of a unix/default/inputs.conf in another app's directory (though I'm not positive of that, so you may want to give it a try). So, you probably need to just copy the entire unix/default/inputs.conf to your new apps, modify script paths and intervals. ... View more

turns out I just needed to swap the order of the measures in the by statement: sourcetype="clariion_lun" tag=XXX | bucket span=10m _time | stats sum(Total_Throughput_IO_per_sec) as IOPS by _time,Raid_Group |sort -IOP ... View more

Thanks again, as always. The bucket span option did the trick. The reason I'm using stats to sum is because I want to sum column3 for SPA and SPB then take an average over time. If I used sum in timechart it would add column3 and the data would be misrepresented whenever timechart span exceeded 10 mins. ... View more

well I'm dumb, and should read things first, like putting new data into a test index to make sure it looks ok and test props.conf etc. i guess i can just make a new index and splunk should index with correct timestamps ... View more

that did it, so simple. Thank you kindly, much appreciated. ... View more

yes, splunk is running as root and the .sp files have identical permissions to the other files in the same dir that are getting picked up. thanks. ... View more