Hi vijaykumartcs,
have you seen Splunk Distributed Monitoring Console?
in the default alerts there is the "DMC Alert - Near Critical Disk Usage" that probably can guide you to solve your problem, something like this:
index=xyz sourcetype=abc host= OR host= disk=*
| eval free = if(isnotnull(available), available, free)
| eval usage = capacity - free
| eval pct_usage = floor(usage / capacity * 100)
| where pct_usage > 60
| stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point
| eval usage = round(usage / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"
Bye.
Giuseppe
... View more