Hello
I'm working on the setup of the alert when the disk space usage reaches above 80.
However, I don't how to change in the query the partition that we need to check.
The main partition is installed the Splunk service, however, i want to set the alert for another partition, the one that stores the logs.
Here is the search for the alarm:
| rest splunk_server_group=dmc_group_* /services/server/status/partitions-space
| eval free = if(isnotnull(available), available, free)
| eval usage = capacity - free
| eval pct_usage = floor(usage / capacity * 100)
| where pct_usage > 30
| stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point
| eval usage = round(usage / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"
And the result for the search:
And the partition that we need to monitoring is the next one:
Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg00-root 1014M 84M 931M 9% / /dev/mapper/vg00-usr 4.0G 1.8G 2.3G 45% /usr /dev/sda1 1014M 192M 823M 19% /boot /dev/mapper/vg00-opt 10G 6.3G 3.8G 63% /opt /dev/mapper/vg01-splunk 32G 15G 18G 47% /var/log/splunk
How can I change the query, so the search is done on the last partition?
Regards!
... View more